CVE-2021-37633
7.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
Discourse is an open source discussion platform. In versions prior to 2.7.8 rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy. This issue is patched in the latest stable 2.7.8 version of Discourse. As a workaround users may ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | < 2.7.8 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse/security/advisories/GHSA-v3v8-3m5w-pjp9
- https://github.com/discourse/discourse/commit/38199424bc840d2ef002cd1e9bffdbb99191eb47
References
- https://github.com/discourse/discourse/security/advisories/GHSA-v3v8-3m5w-pjp9
- https://github.com/discourse/discourse/commit/38199424bc840d2ef002cd1e9bffdbb99191eb47
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.