Vulnerabilities > CVE-2023-22455 - Unspecified vulnerability in Discourse
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, tag descriptions, which can be updated by moderators, can be used for cross-site scripting attacks. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. Versions 2.8.14 and 3.0.0.beta16 contain a patch.
Vulnerable Configurations
References
- https://github.com/discourse/discourse/commit/692329896ac64d8581947e977202c243eef3b5a2
- https://github.com/discourse/discourse/commit/692329896ac64d8581947e977202c243eef3b5a2
- https://github.com/discourse/discourse/security/advisories/GHSA-5rq6-466r-6mr9
- https://github.com/discourse/discourse/security/advisories/GHSA-5rq6-466r-6mr9