Skip to content

HTML injection via topic embedding

Moderate
nattsw published GHSA-986p-4x8q-8f48 Apr 18, 2023

Package

No package listed

Affected versions

stable <= 3.0.2; beta <= 3.1.0.beta3; tests-passed <= 3.1.0.beta3

Patched versions

stable >= 3.0.3; beta <= 3.1.0.beta4; tests-passed <= 3.1.0.beta4

Description

Impact

This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker succeeds in embedding Javascript that does pass the CSP, it could result in session hijacking for any users that view the attacker’s post.

Patches

The vulnerability is patched in the latest tests-passed, beta and stable branches.

Workarounds

Enable and/or restore your site's CSP to the default one provided with Discourse. Remove any embed-able hosts you may have configured.

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE ID

CVE-2023-29196

Weaknesses

No CWEs

Credits