CVE-2023-22468

EPSS 0.4%
Veröffentlicht 26.01.2023 21:18:12
Zuletzt bearbeitet 21.11.2024 07:44:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site  scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Discourse Version < 2.8.13

Discourse ≫ Discourse Version2.9.0 Updatebeta1 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta10 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta11 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta12 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta13 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta14 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta2 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta3 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta4 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta5 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta6 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta7 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta8 SwEditionbeta

Discourse ≫ Discourse Version2.9.0 Updatebeta9 SwEditionbeta

Discourse ≫ Discourse Version3.0.0 Updatebeta15 SwEditionbeta

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.601

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/discourse/discourse/security/advisories/GHSA-8mr2-xf8r-wr8m

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-22468

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22468

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22468

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-22468