CVE-2022-39270

Name of the Vulnerable Software and Affected Versions DiscoTOC versions prior to the fixed version on the main branch

Description The issue allows users to inject arbitrary HTML on a topic's page if they can create topics in TOC-enabled categories and have a sufficient trust level. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include the ability of users to inject arbitrary HTML, but specific API Endpoints, Vulnerable Parameters or Variables, and Function Names are not mentioned.

Recommendations For versions prior to the fixed version on the main branch, update the theme component through the admin UI (Customize -> Themes -> Components -> DiscoTOC -> Check for Updates). Alternatively, temporarily disable the DiscoTOC theme component as a quick mitigation measure.