BIT-discourse-2021-41095

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2021-41095.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-discourse-2021-41095
Aliases
Published
2024-03-06T11:09:23.967Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the stable branch, versions 2.8.0.beta6 and earlier of the beta branch, and versions 2.8.0.beta6 and earlier of the tests-passed branch. Rendering of some error messages that contain user input can be susceptible to XSS attacks. This vulnerability only affects sites which have blocked watched words that contain HTML tags, modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. As a workaround, avoid modifying or disabling Discourse’s default Content Security Policy, and blocking watched words containing HTML tags.

References

Affected packages

Bitnami / discourse

Package

Name
discourse
Purl
pkg:bitnami/discourse

Severity

  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.7
Type
SEMVER
Events
Introduced
2.8.0-beta1
Last affected
2.8.0-beta1
Introduced
2.8.0-beta2
Last affected
2.8.0-beta2
Introduced
2.8.0-beta3
Last affected
2.8.0-beta3
Introduced
2.8.0-beta4
Last affected
2.8.0-beta4
Introduced
2.8.0-beta5
Last affected
2.8.0-beta5
Introduced
2.8.0-beta6
Last affected
2.8.0-beta6