A maliciously crafted URL can be included in a user's full name field to to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest tests-passed, beta and stable branches.
Workarounds
Enable and/or restore your site's CSP to the default one provided with Discourse.
Severity
High
CVE ID
CVE-2023-25172
Weaknesses
No CWEs
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
Impact
A maliciously crafted URL can be included in a user's full name field to to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest tests-passed, beta and stable branches.
Workarounds
Enable and/or restore your site's CSP to the default one provided with Discourse.