CVE-2023-22468

MEDIUM5.4EPSS 0.40%

Discourse vulnerable to Cross-site Scripting in local oneboxes

發布日:2024/3/6修改日:2026/5/11

描述

Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

受影響套件(1)

Bitnami/discoursefrom 0, < 2.8.13

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

參考連結(2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8m
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-22468