Home > Vulnerability Database > CVE-2022-39270

Mend.io Vulnerability Database

CVE-2022-39270

Date: October 5, 2022

DiscoTOC is a Discourse theme component that generates a table of contents for topics. Users that can create topics in TOC-enabled categories (and have sufficient trust level - configured in component's settings) are able to inject arbitrary HTML on that topic's page. The issue has been fixed on the "main" branch. Admins can update the theme component through the admin UI (Customize -> Themes -> Components -> DiscoTOC -> Check for Updates). Alternatively, admins can temporarily disable the DiscoTOC theme component.

Language: JS

Severity Score

5.4

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39270

Url: https://github.com/discourse/DiscoTOC/commit/f80c215a283cd045d2a371403e6eba88b2911192

Url: https://github.com/discourse/DiscoTOC/security/advisories/GHSA-m44p-w923-w32h

Url: https://www.cve.org/CVERecord?id=CVE-2022-39270

Url: https://www.mend.io/vulnerability-database/CVE-2022-39270

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39270

Date: October 5, 2022

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?