Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-46148: Self-XSS through malicious composer message

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

CVE
#xss#vulnerability

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.10; beta <= 2.9.0.beta11; tests-passed <= 2.9.0.beta11

Patched versions

stable > 2.8.10; beta > 2.9.0.beta11; tests-passed > 2.9.0.beta11

Description

Impact

Users composing malicious messages and navigating to drafts page could self-XSS.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda