CVE-2021-43827

discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab	Patch Third Party Advisory
https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse_footnote:*:*:*:*:*:discourse:*:*

History

No history.

Information

Published : 2021-12-14 23:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-43827

Mitre link : CVE-2021-43827

CVE.ORG link : CVE-2021-43827

JSON object : View

Products Affected

discourse

discourse_footnote

CWE

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2021-43827", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-12-14T23:15:08.020", "references": [{"url": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue."}, {"lang": "es", "value": "discourse-footnote es una biblioteca que proporciona notas a pie de p\u00e1gina para los mensajes en Discourse. ### Impacto Cuando es publicada una nota al pie de p\u00e1gina en l\u00ednea envuelta en etiquetas \"(a)\" (por ejemplo, \"(a)^[footnote](/a)\", el HTML resultante incluye un \"(a)\" anidado, que es eliminado por Nokogiri porque no es v\u00e1lido. Esto causaba un error de javascript en las p\u00e1ginas de los temas porque busc\u00e1bamos un elemento \"(a)\" dentro del span de referencia de la nota al pie y obten\u00edamos su ID, y como no se presentaba obten\u00edamos un error de referencia null en javascript. Es recomendado a usuarios que actualicen a la versi\u00f3n 0.2. Como soluci\u00f3n a este problema, pueden editarse las entradas en cuesti\u00f3n desde la consola de rails o la consola de la base de datos en el caso de los auto alojados, o deshabilitar el plugin en el panel de administraci\u00f3n"}], "lastModified": "2021-12-29T20:31:48.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_footnote:*:*:*:*:*:discourse:*:*", "vulnerable": true, "matchCriteriaId": "08855F99-016D-4D36-A462-6D60CB5C970F", "versionEndExcluding": "0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}