Vulnerability Description
Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the `main` branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Mermaid | >= 1.0.0, < 1.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse-mermaid-theme-component/commit/c10bc4a08bPatchThird Party Advisory
- https://github.com/discourse/discourse-mermaid-theme-component/pull/14PatchThird Party Advisory
- https://github.com/discourse/discourse-mermaid-theme-component/security/advisoriThird Party Advisory
- https://github.com/discourse/discourse-mermaid-theme-component/commit/c10bc4a08bPatchThird Party Advisory
- https://github.com/discourse/discourse-mermaid-theme-component/pull/14PatchThird Party Advisory
- https://github.com/discourse/discourse-mermaid-theme-component/security/advisoriThird Party Advisory
FAQ
What is CVE-2022-46180?
CVE-2022-46180 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component versi...
How severe is CVE-2022-46180?
CVE-2022-46180 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-46180?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Mermaid.