// For flags

CVE-2023-43657

Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

discourse-encrypt es un complemento que proporciona un canal de comunicación seguro a través de Discourse. El escape inadecuado de los topic titles cifrados podría provocar un problema de Cross Site Scripting (XSS) cuando un sitio tiene los encabezados de la política de seguridad de contenido (CSP) deshabilitados. Tener CSP deshabilitado es una configuración no predeterminada, y tenerlo deshabilitado con el discourse-encrypt instalado generará una advertencia en el panel de administración de Discourse. Esto se solucionó en el commit `9c75810af9` que se incluye en la última versión del complemento discourse-encrypt. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los encabezados CSP estén habilitados y configurados correctamente.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-09-20 CVE Reserved
  • 2023-09-28 CVE Published
  • 2024-09-23 CVE Updated
  • 2024-10-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Discourse
Search vendor "Discourse"
Discourse-encrypt
Search vendor "Discourse" for product "Discourse-encrypt"
< 2023-09-28
Search vendor "Discourse" for product "Discourse-encrypt" and version " < 2023-09-28"
discourse
Affected