CVE-2023-22468: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to be vulnerable to cross-site scripting (XSS) attacks in versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta), and 3.0.0beta16 (tests-passed). The vulnerability was discovered and disclosed on January 25, 2023 (GitHub Advisory, NVD).

The vulnerability allows attackers to execute cross-site scripting attacks through maliciously crafted URLs included in posts. This attack vector is specifically effective on sites with disabled or overly permissive Content Security Policy (CSP) settings. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the vector string AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of the targeted Discourse instance, potentially leading to unauthorized access to sensitive information or manipulation of website content. However, the impact is limited to installations where the default Content Security Policy has been disabled or modified to be less restrictive (GitHub Advisory).

The vulnerability has been patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta), and 3.0.0beta16 (tests-passed). For users unable to upgrade immediately, the recommended workaround is to enable and/or restore the site's CSP to the default configuration provided with Discourse (GitHub Advisory, NVD).