CVE-2023-43657
Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.
discourse-encrypt es un complemento que proporciona un canal de comunicación seguro a través de Discourse. El escape inadecuado de los topic titles cifrados podría provocar un problema de Cross Site Scripting (XSS) cuando un sitio tiene los encabezados de la política de seguridad de contenido (CSP) deshabilitados. Tener CSP deshabilitado es una configuración no predeterminada, y tenerlo deshabilitado con el discourse-encrypt instalado generará una advertencia en el panel de administración de Discourse. Esto se solucionó en el commit `9c75810af9` que se incluye en la última versión del complemento discourse-encrypt. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los encabezados CSP estén habilitados y configurados correctamente.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-09-20 CVE Reserved
- 2023-09-28 CVE Published
- 2024-09-23 CVE Updated
- 2024-10-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e | 2023-10-02 |
URL | Date | SRC |
---|---|---|
https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v | 2023-10-02 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Discourse Search vendor "Discourse" | Discourse-encrypt Search vendor "Discourse" for product "Discourse-encrypt" | < 2023-09-28 Search vendor "Discourse" for product "Discourse-encrypt" and version " < 2023-09-28" | discourse |
Affected
|