Skip to content

Stored XSS in local oneboxes

High
pmusaraj published GHSA-8mr2-xf8r-wr8m Jan 25, 2023

Package

No package listed

Affected versions

stable <= 3.0.0; beta <= 3.1.0.beta1; tests-passed <= 3.0.1.beta1

Patched versions

stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2

Description

Impact

A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.

Patches

The vulnerability is patched in the latest tests-passed, beta and stable branches.

Workarounds

Enable and/or restore your site's CSP to the default one provided with Discourse.

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-22468

Weaknesses

No CWEs

Credits