XSS via email preview when CSP disabled

High

jomaxro published GHSA-g4qg-5q2h-m8ph

Oct 16, 2023

Package

discourse (Discourse)

Affected versions

stable < 3.1.1; beta/tests-passed < 3.2.0.beta2

Patched versions

stable >= 3.1.2; beta/tests-passed >= 3.2.0.beta2

Description

Impact

Improper escaping of user input allowed for XSS attacks via the digest email preview UI. This issue only affects sites with CSP disabled.

Patches

This problem is patched in the latest version of Discourse.

Workarounds

Ensure CSP is enabled on the forum

Severity

High

8.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H