XSS through tag descriptions
Package
No package listed
Affected versions
stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15
Patched versions
stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16
Impact
Tag descriptions, which can be updated by moderators, can be used for XSS attacks.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.