{"containers": {"cna": {"affected": [{"product": "discourse-chat", "vendor": "discourse", "versions": [{"status": "affected", "version": "< 0.9"}]}], "descriptions": [{"lang": "en", "value": "Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-06T19:30:14.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-chat/pull/1205"}], "source": {"advisory": "GHSA-3vf2-wrjx-p6xj", "discovery": "UNKNOWN"}, "title": "Discourse-Chat Cross-Site Scripting issue for channel names and descriptions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36057", "STATE": "PUBLIC", "TITLE": "Discourse-Chat Cross-Site Scripting issue for channel names and descriptions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "discourse-chat", "version": {"version_data": [{"version_value": "< 0.9"}]}}]}, "vendor_name": "discourse"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj", "refsource": "CONFIRM", "url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj"}, {"name": "https://github.com/discourse/discourse-chat/pull/1205", "refsource": "MISC", "url": "https://github.com/discourse/discourse-chat/pull/1205"}]}, "source": {"advisory": "GHSA-3vf2-wrjx-p6xj", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.416Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-chat/pull/1205"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:01:23.903307Z", "id": "CVE-2022-36057", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T17:14:30.715Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36057", "datePublished": "2022-09-06T19:30:14.000Z", "dateReserved": "2022-07-15T00:00:00.000Z", "dateUpdated": "2025-04-23T17:14:30.715Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/discourse/discourse-chat/pull/1205", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.416Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-36057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:01:23.903307Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:01:25.179Z"}}], "cna": {"title": "Discourse-Chat Cross-Site Scripting issue for channel names and descriptions", "source": {"advisory": "GHSA-3vf2-wrjx-p6xj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse-chat", "versions": [{"status": "affected", "version": "< 0.9"}]}], "references": [{"url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse-chat/pull/1205", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-09-06T19:30:14.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-3vf2-wrjx-p6xj", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 0.9"}]}, "product_name": "discourse-chat"}]}, "vendor_name": "discourse"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj", "name": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj", "refsource": "CONFIRM"}, {"url": "https://github.com/discourse/discourse-chat/pull/1205", "name": "https://github.com/discourse/discourse-chat/pull/1205", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-36057", "STATE": "PUBLIC", "TITLE": "Discourse-Chat Cross-Site Scripting issue for channel names and descriptions", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-36057", "state": "PUBLISHED", "dateUpdated": "2025-04-23T17:14:30.715Z", "dateReserved": "2022-07-15T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-09-06T19:30:14.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse-chat:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "A2BA9C99-E117-4FE3-A2A2-40CC2D9B19B0", "versionEndExcluding": "0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Discourse-Chat is an asynchronous messaging plugin for the Discourse open-source discussion platform. Users of Discourse Chat can be affected by admin users inserting HTML into chat titles and descriptions, causing a Cross-Site Scripting (XSS) attack. Version 0.9 contains a patch for this issue."}, {"lang": "es", "value": "Discourse-Chat es un plugin de mensajer\u00eda as\u00edncrona para la plataforma de debate de c\u00f3digo abierto Discourse. Los usuarios de Discourse Chat pueden verse afectados por usuarios administradores que insertan HTML en los t\u00edtulos y descripciones de los chats, causando un ataque de tipo Cross-Site Scripting (XSS). La versi\u00f3n 0.9 contiene un parche para este problema.\n"}], "id": "CVE-2022-36057", "lastModified": "2024-11-21T07:12:17.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-06T20:15:08.873", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse-chat/pull/1205"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse-chat/pull/1205"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse-chat/security/advisories/GHSA-3vf2-wrjx-p6xj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}