Headline
CVE-2023-22468: Stored XSS in local oneboxes
Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse’s default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site’s CSP to the default one provided with Discourse.
Package
No package listed
Affected versions
stable <= 3.0.0; beta <= 3.1.0.beta1; tests-passed <= 3.0.1.beta1
Patched versions
stable >= 3.0.1; beta >= 3.1.0.beta2; tests-passed >= 3.1.0.beta2
Description
Impact
A maliciously crafted URL can be included in a post to carry out XSS attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse’s default CSP prevents this vulnerability.
Patches
The vulnerability is patched in the latest tests-passed, beta and stable branches.
Workarounds
Enable and/or restore your site’s CSP to the default one provided with Discourse.