CVE-2021-39161 : Discourse is an open source platform for community discussion. In affected versi

Discourse is an open source platform for community discussion. In affected versions category names can be used for Cross-site scripting(XSS) attacks. This is mitigated by Discourse's default Content Security Policy and this vulnerability only affects sites which have modified or disabled or changed Discourse's default Content Security Policy have allowed for moderators to modify categories. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Published 2021-08-26 20:15:07

Updated 2021-09-01 16:58:26

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2021-39161

Discourse » Discourse
Versions before (<) 2.7.8
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.8.0 Update Beta2
cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.8.0 Update Beta3
cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.8.0 Update Beta1
cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.8.0 Update Beta4
cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-39161

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-39161

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
4.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N	1.3	2.7	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2021-39161

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2021-39161

https://github.com/discourse/discourse/security/advisories/GHSA-xhmc-9jwm-wqph

XSS via category name · Advisory · discourse/discourse · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-39161

Products affected by CVE-2021-39161

Exploit prediction scoring system (EPSS) score for CVE-2021-39161

CVSS scores for CVE-2021-39161

CWE ids for CVE-2021-39161

References for CVE-2021-39161