CVE-2023-26040 MEDIUM

CVE-2023-26040: Discourse chat messages susceptible to Cross-site Scripting through chat excerpts

Vendor Discourse

Product discourse

Weakness CWE-79 · XSS

Published March 17, 2023

Last update February 25, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Between versions 3.1.0.beta2 and 3.1.0.beta3 of the `tests-passed` branch, editing or responding to a chat message containing malicious content could lead to a cross-site scripting attack. This issue is patched in version 3.1.0.beta3 of the `tests-passed` branch. There are no known workarounds.

Key dates

02Disclosure timeline

March 17, 2023 CVE published

February 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-26040 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2023-26040

CWE CWE-79

CVSS 6.5 / MEDIUM

Affected versions