CVE-2021-37633
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Discourse allows attackers to inject malicious scripts into d-popover tooltips, potentially compromising user sessions and data. Only sites that have modified or disabled Discourse's default Content Security Policy are affected. The vulnerability requires user interaction with malicious tooltips to trigger.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface the platform, or redirect users to malicious sites, leading to complete account compromise and data theft.
Likely Case
Session hijacking, credential theft, or limited account takeover for users who interact with malicious tooltips.
If Mitigated
No impact if default Content Security Policy is properly configured and enforced, as it prevents script execution from untrusted sources.
🎯 Exploit Status
Exploitation requires user interaction with malicious tooltips and a weakened CSP. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.8
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-v3v8-3m5w-pjp9
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to Discourse version 2.7.8 or later using standard update procedures. 3. Restart the application server. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Enable and Secure Content Security Policy
allEnsure Discourse's default Content Security Policy is enabled and has not been modified to allow unsafe script execution.
Check CSP configuration in Discourse admin panel under Settings > Security
🧯 If You Can't Patch
- Ensure Content Security Policy is enabled with default settings and not modified to allow 'unsafe-inline' or 'unsafe-eval' directives.
- Monitor for suspicious tooltip content and user reports of unexpected behavior.
🔍 How to Verify
Check if Vulnerable:
Check Discourse version in admin panel. If version is below 2.7.8 AND CSP has been modified/disabled, the system is vulnerable.Check Version:
In Discourse admin panel, navigate to Dashboard > About to view version.Verify Fix Applied:
Confirm version is 2.7.8 or higher in admin panel and test that d-popover tooltips render safely.📡 Detection & Monitoring
Log Indicators:
- Unusual tooltip content containing script tags or JavaScript code
- User reports of unexpected tooltip behavior
Network Indicators:
- External script loads triggered by tooltip interactions when CSP is weak
SIEM Query:
Search for logs containing 'd-popover' with script-like patterns when CSP violations are logged.🔗 References
- https://github.com/discourse/discourse/commit/38199424bc840d2ef002cd1e9bffdbb99191eb47
- https://github.com/discourse/discourse/security/advisories/GHSA-v3v8-3m5w-pjp9
- https://github.com/discourse/discourse/commit/38199424bc840d2ef002cd1e9bffdbb99191eb47
- https://github.com/discourse/discourse/security/advisories/GHSA-v3v8-3m5w-pjp9
