What is CVE-2023-22468?

CVE-2023-22468 is a vulnerability in Discourse, an open source platform for community discussion, which allows cross-site scripting attacks.

How severe is CVE-2023-22468?

CVE-2023-22468 has a severity rating of high (5.4).

What software versions are affected by CVE-2023-22468?

Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta), and 3.0.0.beta16 (tests-passed) of Discourse are affected by CVE-2023-22468.

How can I fix CVE-2023-22468?

To fix CVE-2023-22468, you should update your Discourse installation to version 2.8.13 (stable), 3.0.0.beta16 (beta), or 3.0.0.beta16 (tests-passed) or later.

Where can I find more information about CVE-2023-22468?

You can find more information about CVE-2023-22468 in the official GitHub advisory: [link](https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8m).

Vulnerability/
CVE-2023-22468

high

8.8

CWE

26/1/2023

2/8/2024

CVE-2023-22468: Discourse vulnerable to Cross-site Scripting in local oneboxes

First published: Thu Jan 26 2023(Updated: )

Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<2.8.13
Discourse	=2.9.0-beta1
Discourse	=2.9.0-beta10
Discourse	=2.9.0-beta11
Discourse	=2.9.0-beta12
Discourse	=2.9.0-beta13
Discourse	=2.9.0-beta14
Discourse	=2.9.0-beta2
Discourse	=2.9.0-beta3
Discourse	=2.9.0-beta4
Discourse	=2.9.0-beta5
Discourse	=2.9.0-beta6
Discourse	=2.9.0-beta7
Discourse	=2.9.0-beta8
Discourse	=2.9.0-beta9
Discourse	=3.0.0-beta15

Never miss a vulnerability like this again

Reference Links

https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8m

Frequently Asked Questions

What is CVE-2023-22468?
CVE-2023-22468 is a vulnerability in Discourse, an open source platform for community discussion, which allows cross-site scripting attacks.
How severe is CVE-2023-22468?
CVE-2023-22468 has a severity rating of high (5.4).
What software versions are affected by CVE-2023-22468?
Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta), and 3.0.0.beta16 (tests-passed) of Discourse are affected by CVE-2023-22468.
How can I fix CVE-2023-22468?
To fix CVE-2023-22468, you should update your Discourse installation to version 2.8.13 (stable), 3.0.0.beta16 (beta), or 3.0.0.beta16 (tests-passed) or later.
Where can I find more information about CVE-2023-22468?
You can find more information about CVE-2023-22468 in the official GitHub advisory: [link](https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8m).

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/references
agent/title
agent/weakness
agent/severity
agent/last-modified-date
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/discourse
canonical/discourse
version/discourse/2.9.0-beta1
version/discourse/2.9.0-beta10
version/discourse/2.9.0-beta11
version/discourse/2.9.0-beta12
version/discourse/2.9.0-beta13
version/discourse/2.9.0-beta14
version/discourse/2.9.0-beta2
version/discourse/2.9.0-beta3
version/discourse/2.9.0-beta4
version/discourse/2.9.0-beta5
version/discourse/2.9.0-beta6
version/discourse/2.9.0-beta7
version/discourse/2.9.0-beta8
version/discourse/2.9.0-beta9
version/discourse/3.0.0-beta15