CVE-2023-25172: Discourse vulnerable to Cross-site Scripting - user name displayed on post
First published: Fri Mar 17 2023(Updated: )
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse Discourse | <3.0.1 | |
| Discourse Discourse | <3.1.0 | |
| Discourse Discourse | =3.1.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915
- https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a
- https://github.com/discourse/discourse/pull/20008
- https://github.com/discourse/discourse/pull/20009
- https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp
- collector/nvd-index
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/references
- agent/title
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/discourse
- canonical/discourse discourse
- version/discourse discourse/3.1.0-beta1