Skip to content

Self-XSS through malicious composer message

High
ZogStriP published GHSA-c5h6-6gg5-84fh Nov 29, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.10; beta <= 2.9.0.beta11; tests-passed <= 2.9.0.beta11

Patched versions

stable > 2.8.10; beta > 2.9.0.beta11; tests-passed > 2.9.0.beta11

Description

Impact

Users composing malicious messages and navigating to drafts page could self-XSS.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.

Severity

High
7.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-46148

Weaknesses

No CWEs

Credits