CVE Vulnerability

CVE-2022-36057

Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue.

4.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj Third Party Advisory
https://github.com/discourse/discourse-chat/pull/1205 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:discourse:discourse-chat:*:*:*:*:*:discourse:*:*
Information

Published : 2022-09-06 08:15

Updated : 2022-09-09 04:32

NVD link : CVE-2022-36057

Mitre link : CVE-2022-36057

Products Affected
No products.
CWE
CWE-79

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)