Home > Vulnerability Database > CVE-2023-25172

Mend.io Vulnerability Database

CVE-2023-25172

Date: March 17, 2023

Discourse is an open-source discussion platform. Prior to version 3.0.1 of the "stable" branch and version 3.1.0.beta2 of the "beta" and "tests-passed" branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the "stable" branch and version 3.1.0.beta2 of the "beta" and "tests-passed" branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.

Language: Ruby

Severity Score

4.4

Related Resources (7)

Url: https://github.com/discourse/discourse/security/advisories/GHSA-7pm2-prxw-wrvp

Url: https://github.com/discourse/discourse/pull/20009

Url: https://github.com/discourse/discourse/pull/20008

Url: https://github.com/discourse/discourse/commit/c186a46910431020e8efc425dec2133e7a99fa9a

Url: https://github.com/discourse/discourse/commit/1a5a6f66cb821ed29a737311d6fdc2eba5adc915

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-25172

Url: https://www.mend.io/vulnerability-database/CVE-2023-25172

Severity Score

4.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	4.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-25172

Date: March 17, 2023

Language: Ruby

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?