Skip to content

XSS through pending post titles descriptions

High
jomaxro published GHSA-ggq4-4qxc-c462 Jan 5, 2023

Package

No package listed

Affected versions

stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15

Patched versions

stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16

Description

Impact

Pending post titles can be used for XSS attacks. Pending posts can be created by unprivileged users when a category has the "require moderator approval of all new topics" setting set.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-22454

Weaknesses