PT-2023-14818 · Discourse · Discourse-Mermaid-Theme-Component+1

0-0Eth0

+2

·

Publicado

2023-01-04

·

Atualizado

2023-01-10

·

CVE-2022-46180

CVSS v3.1

5.0

Média

VetorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Discourse Mermaid (discourse-mermaid-theme-component) version 1.0.0
Description The issue allows users who can create posts to inject arbitrary HTML on that post, using the Mermaid syntax in Discourse, open-source forum software.
Recommendations For version 1.0.0, update the theme component to version 1.1.0 through the admin UI to resolve the issue. As a temporary workaround, consider disabling the discourse-mermaid-theme-component until the update is applied.

Exploit

Correção

XSS

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79CWE-74

Identificadores relacionados

CVE-2022-46180
GHSA-8437-HGCM-P3Q3

Produtos afetados

Discourse
Discourse-Mermaid-Theme-Component