KEMBAR78
XSS via d-popover and d-html-popover attribute · Advisory · discourse/discourse · GitHub
Skip to content

XSS via d-popover and d-html-popover attribute

High
jomaxro published GHSA-v3v8-3m5w-pjp9 Aug 7, 2021

Package

No package listed

Affected versions

stable <= 2.7.7; beta <= 2.8.0.beta4; tests-passed <= 2.8.0.beta4;

Patched versions

stable >= 2.7.8; beta >= 2.8.0.beta4; tests-passed >= 2.8.0.beta4;

Description

Impact

Rendering of d-popover tooltips can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse's default Content Security Policy.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

Ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Severity

High

CVE ID

CVE-2021-37633

Weaknesses

No CWEs

Credits