CVE-2022-39232

Discourse vulnerable to incomplete quote causing a topic to crash in the browser

CVSS 6.5 MEDIUMEPSS 1.0%CWE-20

In short

A malformed quote in Discourse can cause the web page to crash with a JavaScript error, disrupting the user's browsing experience. This affects versions 2.9.0.beta5 through 2.9.0.beta9 of the open source discussion platform.

Technical detail

CWE-20 (Improper Input Validation) vulnerability in Discourse where incomplete quote markup fails validation and triggers an unhandled JavaScript error, causing a denial of service to the affected client. The attack vector requires the ability to post or edit content containing malformed quotes; version 2.9.0.beta10+ includes input validation fixes to prevent this client-side crash.

Summary generated and translated by AI from the official description.

Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products

discourse · discourse

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530 https://github.com/discourse/discourse/pull/18311 https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5