CVE-2022-39279

EPSS 0.37%
Veröffentlicht 06.10.2022 20:15:34
Zuletzt bearbeitet 21.11.2024 07:17:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse-chat plugin susceptible to XSS in channel name and description

discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Discourse-chat SwPlatformdiscourse Version < 0.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.285

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.3	0.9	3.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce

Patch

Third Party Advisory

https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-39279

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39279

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39279

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-39279