Discourse Code Review Plugin Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Discourse Code Review Plugin, which allows users to review GitHub commits on Discourse. Prior to the patch in commit eed3a80, an attacker could execute arbitrary JavaScript in users' browsers by sharing links to malicious GitHub commits. This vulnerability affects versions of the plugin prior to eed3a80.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a GitHub commit link containing malicious JavaScript payloads into a Discourse post. Once the post is published, the injected JavaScript will execute in the browsers of users viewing the post.

Remediation

Users can update to the latest version of the Discourse Code Review Plugin, which includes the necessary patch. Alternatively, the plugin can be disabled temporarily.