Headline
CVE-2022-46148: Self-XSS through malicious composer message
Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Package
Discourse (Discourse)
Affected versions
stable <= 2.8.10; beta <= 2.9.0.beta11; tests-passed <= 2.9.0.beta11
Patched versions
stable > 2.8.10; beta > 2.9.0.beta11; tests-passed > 2.9.0.beta11
Description
Impact
Users composing malicious messages and navigating to drafts page could self-XSS.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.