CVE-2023-22454

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.14 on the stable branch Discourse versions prior to 3.0.0.beta16 on the beta and tests-passed branches

Description The issue concerns a cross-site scripting attack through pending post titles, which can be created by unprivileged users in categories requiring moderator approval. This can lead to a full XSS on sites with modified or disabled Content Security Policy.

Recommendations For versions prior to 2.8.14 on the stable branch, update to version 2.8.14 or later. For versions prior to 3.0.0.beta16 on the beta and tests-passed branches, update to version 3.0.0.beta16 or later. As a temporary workaround, consider restricting the creation of pending posts in categories with the "require moderator approval of all new topics" setting set, until a patch is applied.