// For flags

CVE-2022-46180

Arbitrary HTML injection in discourse-mermaid-theme-component

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the `main` branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component.

Discourse Mermaid (discourse-mermaid-theme-component) permite a los usuarios de Discourse, software de foro de código abierto, crear gráficos utilizando la sintaxis de Mermaid. Los usuarios de la versión 1.0.0 del componente de tema de sirena del discurso que pueden crear publicaciones pueden inyectar HTML arbitrario en esa publicación. El problema se solucionó en la rama "principal" del repositorio de GitHub, con la versión 1.1.0 nombrada como versión parcheada. Los administradores pueden actualizar el componente del tema a través de la interfaz de usuario del administrador. Como workaround, los administradores pueden desactivar temporalmente el componente del tema de la sirena del discurso.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-11-28 CVE Reserved
  • 2023-01-04 CVE Published
  • 2024-07-27 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Discourse
Search vendor "Discourse"
 Mermaid
Search vendor "Discourse" for product "Mermaid"
 >= 1.0.0 < 1.1.0
Search vendor "Discourse" for product "Mermaid" and version " >= 1.0.0 < 1.1.0"
-
Affected