A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest tests-passed, beta and stable branches.
Workarounds
Enable and/or restore your site's CSP to the default one provided with Discourse.
Impact
A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest
tests-passed,betaandstablebranches.Workarounds
Enable and/or restore your site's CSP to the default one provided with Discourse.