XSS via email preview when CSP disabled
Package
discourse
(Discourse)
Affected versions
stable < 3.1.1; beta/tests-passed < 3.2.0.beta2
Patched versions
stable >= 3.1.2; beta/tests-passed >= 3.2.0.beta2
Impact
Improper escaping of user input allowed for XSS attacks via the digest email preview UI. This issue only affects sites with CSP disabled.
Patches
This problem is patched in the latest version of Discourse.
Workarounds
Ensure CSP is enabled on the forum