CVE-2022-46180

CVSS V2 None CVSS V3 None
Description
Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the `main` branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component.
Overview
  • CVE ID
  • CVE-2022-46180
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-01-04T17:15:08
  • Last Modified Date
  • 2023-01-10T19:43:11
Weakness Enumerations
CWE URL
CWE-79 http://cwe.mitre.org/data/definitions/79.html
CWE-74 http://cwe.mitre.org/data/definitions/74.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:discourse:mermaid:*:*:*:*:*:*:*:* 1 OR 1.0.0 1.1.0
References
Reference URL Reference Tags
https://github.com/discourse/discourse-mermaid-theme-component/commit/c10bc4a08bf865cee20e5d5dffba535762813f0f
https://github.com/discourse/discourse-mermaid-theme-component/pull/14
https://github.com/discourse/discourse-mermaid-theme-component/security/advisories/GHSA-8437-hgcm-p3q3
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-46180
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46180
History
Created Old Value New Value Data Type Notes
2023-01-04 18:20:48 Added to TrackCVE
2023-01-04 18:20:50 Weakness Enumeration new
2023-01-09 17:16:55 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-01-10 20:25:54 2023-01-10T19:43:11 CVE Modified Date updated
2023-01-10 20:25:54 Undergoing Analysis Analyzed Vulnerability Status updated
2023-01-10 20:25:58 Weakness Enumeration update
2023-01-10 20:25:58 CPE Information updated