CVE-2022-39270: DiscoTOC Discourse Theme Component Vulnerability Allows HTML Injection
In this blog post, we will discuss CVE-2022-39270, a vulnerability found in the DiscoTOC Discourse theme component. DiscoTOC is a popular theme component used to generate a table of contents for topics in Discourse forums. A security flaw in DiscoTOC allows users with the proper trust level and permissions to inject arbitrary HTML code into the topic's page, potentially leading to cross-site scripting (XSS) attacks. In this article, we will cover the exploit details, code snippets, and original references, as well as the steps needed to fix this issue.
Exploit Details
The DiscoTOC Discourse theme component is designed to provide a table of contents for topics within Discourse forums. However, it didn't properly validate and sanitize user input before rendering the HTML. As a result, users with the ability to create topics in TOC-enabled categories and sufficient trust levels could inject arbitrary HTML code into the topic page. By exploiting this vulnerability, an attacker could perform unintended actions on behalf of the victim, access sensitive information, or redirect users to malicious websites through a cross-site scripting (XSS) attack.
Code Snippet Example
Let's assume a user has the required permissions and trust level. The user creates the following topic:
# My TOC-enabled Topic {%toc%}
My malicious content: <img src=x onerror=alert('XSS')>
When DiscoTOC renders the table of contents for this topic, the malicious HTML code will be executed, causing an alert with the message "XSS" to pop-up, proving that the injection has taken place.
Original References
This vulnerability was first reported to Discourse Security through their HackerOne program (HackerOne Report #1426024). Discourse promptly addressed the issue by patching it on the main branch of the DiscoTOC repository (GitHub Commit). The CVE-2022-39270 identifier has been assigned to this vulnerability.
How To Fix the Issue
Admins using DiscoTOC theme component can apply the fix by updating it through the admin UI. Follow these steps to update the theme component:
Click on the 'Check for Updates' button to update the component to the latest version.
After updating the DiscoTOC theme component, the vulnerability should be patched, and users are no longer able to inject arbitrary HTML into topics.
Temporary Workaround
If your Discourse forum uses the DiscoTOC theme component and you cannot update it immediately, temporarily disabling the component is advised. To disable the DiscoTOC theme component, follow these steps:
Conclusion
With this long-read article about CVE-2022-39270, we aimed to bring awareness to this security vulnerability found in the DiscoTOC Discourse theme component. We provided the necessary details, code snippets, and original references to inform readers about the nature of the vulnerability and how to fix it. Updating or temporarily disabling the DiscoTOC theme component should be done as soon as possible to avoid potential attacks using this HTML injection security flaw.
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/11/2022 05:15:00 UTC