Skip to content

YouTube Onebox susceptible to XSS

High
davidtaylorhq published GHSA-9x4c-29xg-56hw Jul 15, 2021

Package

Discourse

Affected versions

stable <= 2.7.5; beta <= 2.8.0.beta2; tests-passed <= 2.8.0.beta2

Patched versions

stable >= 2.7.6; beta >= 2.8.0.beta3; tests-passed >= 2.8.0.beta3

Description

Impact

Parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Workarounds

Ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2021-32764

Weaknesses