Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-22468: Stored XSS in local oneboxes

Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse’s default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site’s CSP to the default one provided with Discourse.

CVE
#xss#vulnerability

Package

No package listed

Affected versions

stable <= 3.0.0; beta <= 3.1.0.beta1; tests-passed <= 3.0.1.beta1

Patched versions

stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2

Description

Impact

A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse’s default CSP prevents this vulnerability.

Patches

The vulnerability is patched in the latest tests-passed, beta and stable branches.

Workarounds

Enable and/or restore your site’s CSP to the default one provided with Discourse.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907