Skip to content

XSS via blocked watched word in error message

Low
nbianca published GHSA-qvqx-2h7w-m479 Sep 27, 2021

Package

discourse (Discourse)

Affected versions

stable <= 2.7.7; beta <= 2.8.0.beta6; tests-passed <= 2.8.0.beta6;

Patched versions

stable >= 2.7.8; beta >= 2.8.0.beta6; tests-passed >= 2.8.0.beta6;

Description

Impact

Rendering of some error messages that contain user input can be susceptible to XSS attacks. This vulnerability only affects sites which have blocked watched words that contain HTML tags, modified or disabled Discourse's default Content Security Policy.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy, and have blocked watched words containing HTML tags.

Severity

Low

CVE ID

CVE-2021-41095

Weaknesses

No CWEs