CVE-2023-22468 HIGH

CVE-2023-22468: Discourse vulnerable to Cross-site Scripting in local oneboxes

Vendor Discourse

Product discourse

Weakness CWE-79 · XSS

Published January 26, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Key dates

02Disclosure timeline

January 26, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22468 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2023-22468

CWE CWE-79

CVSS 8.8 / HIGH

Affected versions

Vendor Discourse

Product discourse

Affected stable < 2.8.14

Vendor Discourse

Product discourse

Affected beta < 3.0.0.beta16

Vendor Discourse

Product discourse

Affected tests-passed < 3.0.0.beta16

CVE-2023-22468: Discourse vulnerable to Cross-site Scripting in local oneboxes

01Description

02Disclosure timeline

03References

04Related CVE