CVE-2022-46148

Name of the Vulnerable Software and Affected Versions Discourse versions 2.8.10 and prior Discourse versions 2.9.0.beta11 and prior

Description Discourse is an open-source messaging platform. Users composing malicious messages and navigating to the drafts page could self-XSS. This issue can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy.

Recommendations For versions 2.8.10 and prior, update to the latest stable version of Discourse. For versions 2.9.0.beta11 and prior, update to the latest beta or tests-passed version of Discourse. As a temporary workaround, consider restricting access to the drafts page until a patch is available. Avoid using modified or disabled Content Security Policy configurations to minimize the risk of exploitation.