Skip to content

XSS user name displayed on post

High
jomaxro published GHSA-7pm2-prxw-wrvp Mar 17, 2023

Package

No package listed

Affected versions

stable <= 3.0.0; beta <= 3.1.0.beta1; tests-passed <= 3.0.1.beta1

Patched versions

stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2

Description

Impact

A maliciously crafted URL can be included in a user's full name field to to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.

Patches

The vulnerability is patched in the latest tests-passed, beta and stable branches.

Workarounds

Enable and/or restore your site's CSP to the default one provided with Discourse.

Severity

High

CVE ID

CVE-2023-25172

Weaknesses

No CWEs