{"containers": {"cna": {"affected": [{"product": "discourse-footnote", "vendor": "discourse", "versions": [{"status": "affected", "version": "< 0.2"}]}], "descriptions": [{"lang": "en", "value": "discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-14T22:20:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab"}], "source": {"advisory": "GHSA-58vr-c56v-qr57", "discovery": "UNKNOWN"}, "title": "Inline footnotes wrapped in <a> tags can cause errors in discourse-footnotes", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43827", "STATE": "PUBLIC", "TITLE": "Inline footnotes wrapped in <a> tags can cause errors in discourse-footnotes"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "discourse-footnote", "version": {"version_data": [{"version_value": "< 0.2"}]}}]}, "vendor_name": "discourse"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-755: Improper Handling of Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57", "refsource": "CONFIRM", "url": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57"}, {"name": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab", "refsource": "MISC", "url": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab"}]}, "source": {"advisory": "GHSA-58vr-c56v-qr57", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:03:08.963Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43827", "datePublished": "2021-12-14T22:20:09", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:03:08.963Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_footnote:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "08855F99-016D-4D36-A462-6D60CB5C970F", "versionEndExcluding": "0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue."}, {"lang": "es", "value": "discourse-footnote es una biblioteca que proporciona notas a pie de p\u00e1gina para los mensajes en Discourse. ### Impacto Cuando es publicada una nota al pie de p\u00e1gina en l\u00ednea envuelta en etiquetas \"(a)\" (por ejemplo, \"(a)^[footnote](/a)\", el HTML resultante incluye un \"(a)\" anidado, que es eliminado por Nokogiri porque no es v\u00e1lido. Esto causaba un error de javascript en las p\u00e1ginas de los temas porque busc\u00e1bamos un elemento \"(a)\" dentro del span de referencia de la nota al pie y obten\u00edamos su ID, y como no se presentaba obten\u00edamos un error de referencia null en javascript. Es recomendado a usuarios que actualicen a la versi\u00f3n 0.2. Como soluci\u00f3n a este problema, pueden editarse las entradas en cuesti\u00f3n desde la consola de rails o la consola de la base de datos en el caso de los auto alojados, o deshabilitar el plugin en el panel de administraci\u00f3n"}], "id": "CVE-2021-43827", "lastModified": "2024-11-21T06:29:52.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-12-14T23:15:08.020", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse-footnote/commit/796617e0131277011207541313522cd1946661ab"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse-footnote/security/advisories/GHSA-58vr-c56v-qr57"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}