Skip to content

Arbitrary CSS injection in BBCode plugin

Moderate
jomaxro published GHSA-8c87-xpqv-c7mp Nov 30, 2022

Package

discourse-bbcode (Discourse)

Affected versions

< 91478f5cfecdcc43cf85b997168a8ecfd0f8df90

Patched versions

>= 91478f5cfecdcc43cf85b997168a8ecfd0f8df90

Description

Impact

CSS injection can occur when rendering content generated with the discourse-bccode plugin.
This vulnerability only affects sites which have the discourse-bbcode plugin installed and enabled.

Patches

This issue is patched in the latest version of the discourse-bbcode plugin.

Workarounds

Ensure that the Content Security Policy is enabled. Monitor any posts that contain bbcode.

Severity

Moderate

CVE ID

CVE-2022-46162

Weaknesses

No CWEs