Exploit Report

Computer Security And Bug Information


CVE Title
Published Date2023-03-17T17:15Z
Modified Date2023-03-23T20:40Z
CWE TypeCWE-79
DescriptionDiscourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.
By clicking these links you will leave this website. We do not endorse and will not be held accountable for any activity on external sites.
Reference URLhttps://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915
Reference DescriptionMISC https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915
Reference URLhttps://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp
Reference DescriptionMISC https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp
Reference URLhttps://github.com/discourse/discourse/pull/20008
Reference DescriptionMISC https://github.com/discourse/discourse/pull/20008
Reference URLhttps://github.com/discourse/discourse/pull/20009
Reference DescriptionMISC https://github.com/discourse/discourse/pull/20009
Reference URLhttps://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a
Reference DescriptionMISC https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a

This site's data is aggregated programmatically and provided "as is" without any representations or warranties, express or implied. Exploit.report is not affiliated with the The MITRE Corporation, U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), or US government in any way. CVE and the CVE logo are registered trademarks of The MITRE Corporation

© 2022 Exploit.Report | Data | Contact | Privacy Policy | Articles