Discourse is a popular open-source messaging platform that drives numerous communities and forums on the Internet. Recently, a vulnerability was discovered in certain versions of Discourse, which has been assigned the identifier CVE-2022-46148. This document will dive into the details of this vulnerability, the affected versions, potential impacts, and various fixes and mitigations available to prevent exploitation.

Summary

CVE-2022-46148 refers to a self-XSS (Cross-Site Scripting) vulnerability in Discourse. In specific versions and branches (2.8.10 and prior on the stable branch and 2.9..beta11 and prior on the beta and tests-passed branches), a user composing malicious messages and subsequently navigating to the drafts page can exploit this vulnerability. This issue can lead to full XSS on Discourse platforms which have modified or disabled the default Content Security Policy (CSP)

Exploit Details

An attacker can exploit this vulnerability by composing a malicious message that contains crafted JavaScript code. For instance, the attacker could use a code snippet like this:

<script>alert('XSS');</script>

Once the message is saved as a draft, the attacker can navigate to the drafts page. Upon loading the drafts page, the malicious JavaScript will execute. Websites that have modified or disabled Discourse's default CSP could expose other users to XSS attacks.

References

- Discourse GitHub Repository
- Original Security Advisory in Discourse Meta

Patches and Fixes

To combat this vulnerability and keep your platforms secure, upgrade to the latest fixed versions of Discourse:

Beta and Tests-Passed Branches: Update to 2.9..beta12 or later

It is strongly recommended to keep Discourse installations updated to the latest versions and follow best practices on customizing or disabling CSP settings.

Conclusion

CVE-2022-46148 is an important security vulnerability that Discourse administrators should be aware of. Upgrading to the latest versions and maintaining proper security configurations will go a long way in ensuring the safety of your messaging platforms and user data. Always stay informed and be proactive about addressing any security issues as they arise.

Timeline

Published on: 11/29/2022 17:15:00 UTC
Last modified on: 12/01/2022 22:02:00 UTC