CVE-2023-22468

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2.8.13 Discourse version 3.0.0.beta16 and earlier in the beta and tests-passed channels

Description The issue allows a maliciously crafted URL to be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive Content Security Policy (CSP). Discourse's default CSP prevents this issue.

Recommendations For versions prior to 2.8.13, update to version 2.8.13 or later. For version 3.0.0.beta16 and earlier in the beta and tests-passed channels, update to version 3.0.0.beta16 or later. As a temporary workaround, enable and/or restore your site's CSP to the default one provided with Discourse.