Unrated severityNVD Advisory· Published Nov 29, 2022· Updated Apr 23, 2025
Discourse allows self-XSS through malicious composer message
CVE-2022-46148
Description
Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3<=2.8.10 (stable) / <=2.9.0.beta11 (beta)+ 1 more
- (no CPE)range: <=2.8.10 (stable) / <=2.9.0.beta11 (beta)
- (no CPE)range: <= 2.8.10
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.