CVE-2022-39270

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39270

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39270.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-39270

Related

GHSA-m44p-w923-w32h

Published

2022-10-06T18:16:14Z

Modified

2025-01-08T04:21:04Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

DiscoTOC is a Discourse theme component that generates a table of contents for topics. Users that can create topics in TOC-enabled categories (and have sufficient trust level - configured in component's settings) are able to inject arbitrary HTML on that topic's page. The issue has been fixed on the main branch. Admins can update the theme component through the admin UI (Customize -> Themes -> Components -> DiscoTOC -> Check for Updates). Alternatively, admins can temporarily disable the DiscoTOC theme component.

References

Affected packages

Git / github.com/discourse/discotoc

Affected ranges

Type: GIT
Repo: https://github.com/discourse/discotoc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f80c215a283cd045d2a371403e6eba88b2911192

Fixed

f80c215a283cd045d2a371403e6eba88b2911192