Arbitrary CSS injection in BBCode plugin
Package
discourse-bbcode
(Discourse)
Affected versions
< 91478f5cfecdcc43cf85b997168a8ecfd0f8df90
Patched versions
>= 91478f5cfecdcc43cf85b997168a8ecfd0f8df90
Impact
CSS injection can occur when rendering content generated with the discourse-bccode plugin.
This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled.
Patches
This issue is patched in the latest version of the discourse-bbcode plugin.
Workarounds
Ensure that the Content Security Policy is enabled. Monitor any posts that contain bbcode.