CVE-2022-39279 – Discourse-chat plugin susceptible to XSS in channel name and description
https://notcve.org/view.php?id=CVE-2022-39279
discourse-chat is a plugin for the Discourse message board which adds chat functionality. In versions prior to 0.9 some places render a chat channel's name and description in an unsafe way, allowing staff members to cause an cross site scripting (XSS) attack by inserting unsafe HTML into them. Version 0.9 has addressed this issue. Users are advised to upgrade. There are no known workarounds for this issue. discourse-chat es un plugin para el tablero de mensajes Discourse que añade funcionalidad de chat. • https://github.com/discourse/discourse-chat/commit/25737733af48e5b9fa60b0561d7fde14bea13cce https://github.com/discourse/discourse-chat/security/advisories/GHSA-qp62-8m3c-9jgj • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-36057 – Discourse-Chat Cross-Site Scripting issue for channel names and descriptions
https://notcve.org/view.php?id=CVE-2022-36057
Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue. Discourse-Chat es un plugin de mensajería asíncrona para la plataforma de debate de código abierto Discourse. Los usuarios de Discourse Chat pueden verse afectados por usuarios administradores que insertan HTML en los títulos y descripciones de los chats, causando un ataque de tipo Cross-Site Scripting (XSS). • https://github.com/discourse/discourse-chat/pull/1205 https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2022-31095 – Exposure of Sensitive Information in discourse-chat
https://notcve.org/view.php?id=CVE-2022-31095
discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily affecting direct message channels. There are no known workarounds for this issue, and users are advised to update the plugin. discourse-chat es un plugin de chat para la aplicación Discourse. Las versiones anteriores a 0.4 son vulnerables a una exposición de información confidencial, en la que un atacante que conoce el ID del mensaje de un canal al que no presenta acceso puede visualizar ese mensaje usando el endpoint de búsqueda de mensajes de chat, lo que afecta principalmente a los canales de mensajes directos. No se presentan mitigaciones conocidas para este problema, y es aconsejado a usuarios actualizar el plugin • https://github.com/discourse/discourse-chat/security/advisories/GHSA-r979-jhp2-3f6h • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •