CVE-2021-39161 MEDIUM

CVE-2021-39161: Cross-site scripting via category name in Discourse

Vendor Discourse

Product discourse

Weakness CWE-79 · XSS

Published August 26, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or disabled or changed Discourse's default Content Security Policy have allowed for moderators to modify categories. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Key dates

02Disclosure timeline

August 26, 2021 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-39161

Related vulnerabilities

Identifiers

CVE CVE-2021-39161

CWE CWE-79

CVSS 4.4 / MEDIUM

Affected versions

Vendor Discourse

Product discourse

Affected < 2.7.8

Vendor Discourse

Product discourse

Affected >= 2.8.0.beta1, < 2.8.0.beta4

CVE-2021-39161: Cross-site scripting via category name in Discourse

01Description

02Disclosure timeline

03References

04Related CVE