CVE-2022-39279 MEDIUM

CVE-2022-39279: Discourse-chat plugin susceptible to XSS in channel name and description

Vendor Discourse
Product discourse-chat
Weakness CWE-79 · XSS
Published October 6, 2022
Last update April 23, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

October 6, 2022 CVE published
April 23, 2025 Record updated