CVE-2021-41095

Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Rendering of some error messages that contain user input can be susceptible to XSS attacks. This vulnerability only affects sites which have blocked watched words that contain HTML tags, modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. As a workaround, avoid modifying or disabling Discourse’s default Content Security Policy, and blocking watched words containing HTML tags.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.8.0:beta5:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2.8.0:beta6:*:*:*:*:*:*

History

21 Nov 2024, 06:25

Type Values Removed Values Added
CVSS v2 : 4.3
v3 : 6.1
v2 : 4.3
v3 : 4.2
References () https://github.com/discourse/discourse/pull/14434/commits/40b776b9d39c41d9273d01eecf8fe03aa39fcb59 - Patch, Third Party Advisory () https://github.com/discourse/discourse/pull/14434/commits/40b776b9d39c41d9273d01eecf8fe03aa39fcb59 - Patch, Third Party Advisory
References () https://github.com/discourse/discourse/security/advisories/GHSA-qvqx-2h7w-m479 - Third Party Advisory () https://github.com/discourse/discourse/security/advisories/GHSA-qvqx-2h7w-m479 - Third Party Advisory

07 Nov 2023, 03:38

Type Values Removed Values Added
Summary Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Rendering of some error messages that contain user input can be susceptible to XSS attacks. This vulnerability only affects sites which have blocked watched words that contain HTML tags, modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. As a workaround, avoid modifying or disabling Discourse’s default Content Security Policy, and blocking watched words containing HTML tags. Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Rendering of some error messages that contain user input can be susceptible to XSS attacks. This vulnerability only affects sites which have blocked watched words that contain HTML tags, modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest `stable`, `beta` and `tests-passed` versions of Discourse. As a workaround, avoid modifying or disabling Discourse’s default Content Security Policy, and blocking watched words containing HTML tags.

Information

Published : 2021-09-27 20:15

Updated : 2024-11-21 06:25


NVD link : CVE-2021-41095

Mitre link : CVE-2021-41095

CVE.ORG link : CVE-2021-41095


JSON object : View

Products Affected

discourse

  • discourse
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')