CVE-2021-32764 Information

Description

Discourse is an open-source discussion platform. In Discourse versions 2.7.5 and prior parsing and rendering of YouTube Oneboxes can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in stable version 2.7.6 beta version 2.8.0.beta3 and tests-passed version 2.8.0.beta3. As a workaround ensure that the Content Security Policy is enabled and has not been modified in a way which would make it more vulnerable to XSS attacks.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Reference

https://github.com/discourse/discourse/security/advisories/GHSA-9x4c-29xg-56hw

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4