CVE-2022-39279

discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce	Patch Third Party Advisory
https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj	Third Party Advisory
https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce	Patch Third Party Advisory
https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse-chat:*:*:*:*:*:discourse:*:*

History

21 Nov 2024, 07:17

Type	Values Removed	Values Added
References	~~() https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce - Patch, Third Party Advisory~~	() https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce - Patch, Third Party Advisory
References	~~() https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj - Third Party Advisory~~	() https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~5.4~~	v2 : unknown v3 : 4.3

Information

Published : 2022-10-06 20:15

Updated : 2024-11-21 07:17

NVD link : CVE-2022-39279

Mitre link : CVE-2022-39279

CVE.ORG link : CVE-2022-39279

JSON object : View

Products Affected

discourse

discourse-chat

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-39279", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 0.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-10-06T20:15:34.980", "references": [{"url": "https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "discourse-chat es un plugin para el tablero de mensajes Discourse que a\u00f1ade funcionalidad de chat. En versiones anteriores a 0.9, algunos lugares muestran el nombre y la descripci\u00f3n de un canal de chat de forma no segura, permitiendo a miembros del personal causar un ataque de tipo cross site scripting (XSS) al insertar HTML no seguro en ellos. La versi\u00f3n 0.9 ha abordado este problema. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "lastModified": "2024-11-21T07:17:56.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse-chat:*:*:*:*:*:discourse:*:*", "vulnerable": true, "matchCriteriaId": "A2BA9C99-E117-4FE3-A2A2-40CC2D9B19B0", "versionEndExcluding": "0.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}