You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest tests-passed, beta and stable branches.
Workarounds
Enable and/or restore your site's CSP to the default one provided with Discourse.
Impact
A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest
tests-passed
,beta
andstable
branches.Workarounds
Enable and/or restore your site's CSP to the default one provided with Discourse.