CVE-2023-43657

Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

discourse-encrypt es un complemento que proporciona un canal de comunicación seguro a través de Discourse. El escape inadecuado de los topic titles cifrados podría provocar un problema de Cross Site Scripting (XSS) cuando un sitio tiene los encabezados de la política de seguridad de contenido (CSP) deshabilitados. Tener CSP deshabilitado es una configuración no predeterminada, y tenerlo deshabilitado con el discourse-encrypt instalado generará una advertencia en el panel de administración de Discourse. Esto se solucionó en el commit `9c75810af9` que se incluye en la última versión del complemento discourse-encrypt. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los encabezados CSP estén habilitados y configurados correctamente.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-09-20 CVE Reserved
2023-09-28 CVE Published
2024-09-23 CVE Updated
2024-10-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e	2023-10-02

URL	Date	SRC
https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v	2023-10-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Discourse Search vendor "Discourse"		Discourse-encrypt Search vendor "Discourse" for product "Discourse-encrypt"				< 2023-09-28 Search vendor "Discourse" for product "Discourse-encrypt" and version " < 2023-09-28"		discourse		Affected