Vulnerability Description
Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 2.8.13 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8mThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8mThird Party Advisory
FAQ
What is CVE-2023-22468?
CVE-2023-22468 is a vulnerability with a CVSS score of 8.8 (HIGH). Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciou...
How severe is CVE-2023-22468?
CVE-2023-22468 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-22468?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.