CVE-2022-46162 is a vulnerability identified in the discourse-bbcode plugin, which is the official BBCode plugin for the Discourse forum platform. The vulnerability is classified under CWE-74, indicating improper neutralization of special elements in output used by a downstream component, specifically an injection flaw. Prior to the commit 91478f5, the plugin allowed CSS injection when rendering content that included BBCode. This means that an attacker could craft BBCode content that, when rendered by the vulnerable discourse-bbcode plugin, injects malicious CSS styles into the page. Such CSS injection can be leveraged to manipulate the appearance of the forum, potentially enabling visual spoofing, UI redressing, or even exfiltration of sensitive information via CSS-based side channels. The vulnerability only affects Discourse sites that have the discourse-bbcode plugin installed and enabled, and only versions prior to commit 91478f5 are vulnerable. The issue was patched in commit 91478f5, which presumably introduced proper sanitization or neutralization of CSS content within BBCode rendering. No known exploits in the wild have been reported to date. As a workaround, enabling a strict Content Security Policy (CSP) can mitigate the risk by restricting the execution or application of injected CSS. Additionally, monitoring posts containing BBCode for suspicious or anomalous content can help detect attempted exploitation. This vulnerability does not require authentication or user interaction beyond posting BBCode content, which could be done by any user with posting privileges. The scope is limited to Discourse installations using the discourse-bbcode plugin, which is a subset of all Discourse forums. The impact primarily affects the integrity and potentially confidentiality of the forum content and user experience, but does not directly compromise server-side systems or data.

For European organizations using Discourse forums with the discourse-bbcode plugin enabled, this vulnerability could allow attackers to inject malicious CSS into forum posts. This can lead to UI manipulation, misleading users, or stealing sensitive information through CSS-based attacks such as history sniffing or exfiltration via crafted styles. While it does not directly allow code execution or server compromise, the integrity of the forum content and user trust can be undermined. Organizations relying on Discourse for community engagement, customer support, or internal collaboration may face reputational damage or data leakage risks. The impact is more pronounced for forums with high user interaction or sensitive discussions. Since the vulnerability can be exploited by any user able to post BBCode, it poses a risk of persistent malicious content affecting all visitors. The absence of known exploits reduces immediate risk, but the medium severity rating suggests that timely patching is important to prevent potential abuse. The vulnerability does not affect availability but can degrade user experience and trust.

1. Upgrade the discourse-bbcode plugin to a version that includes commit 91478f5 or later, ensuring the patch is applied. 2. If immediate patching is not possible, enforce a strict Content Security Policy (CSP) that restricts inline styles and disallows loading of untrusted CSS to mitigate CSS injection impact. 3. Implement monitoring and alerting on posts containing BBCode, especially those with complex or unusual style attributes, to detect potential exploitation attempts. 4. Limit BBCode usage permissions to trusted users or moderators where feasible to reduce the attack surface. 5. Educate forum administrators and moderators about this vulnerability and encourage regular plugin updates and security reviews. 6. Review and sanitize user-generated content at the application level to ensure no malicious CSS or scripts are embedded. 7. Consider disabling the discourse-bbcode plugin temporarily if it is not essential, until patched.