CVE-2021-39161

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest stable, beta and tests-passed versions

Description The issue allows category names to be used for Cross-site scripting (XSS) attacks. This is mitigated by Discourse's default Content Security Policy, and the vulnerability only affects sites that have modified, disabled, or changed this policy and have allowed moderators to modify categories.

Recommendations For all affected versions, ensure that the Content Security Policy is enabled and has not been modified in a way that would make it more vulnerable to XSS attacks. Update to the latest stable, beta, or tests-passed version of Discourse to patch the issue.