CVE-2023-43657

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP	Product
https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e	Patch
https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v	Vendor Advisory
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP	Product
https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e	Patch
https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse-encrypt:*:*:*:*:*:discourse:*:*

History

21 Nov 2024, 08:24

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-28 19:15

Updated : 2024-11-21 08:24

NVD link : CVE-2023-43657

Mitre link : CVE-2023-43657

CVE.ORG link : CVE-2023-43657

JSON object : View

Products Affected

discourse

discourse-encrypt

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-43657", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-09-28T19:15:10.547", "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured."}, {"lang": "es", "value": "discourse-encrypt es un complemento que proporciona un canal de comunicaci\u00f3n seguro a trav\u00e9s de Discourse. El escape inadecuado de los topic titles cifrados podr\u00eda provocar un problema de Cross Site Scripting (XSS) cuando un sitio tiene los encabezados de la pol\u00edtica de seguridad de contenido (CSP) deshabilitados. Tener CSP deshabilitado es una configuraci\u00f3n no predeterminada, y tenerlo deshabilitado con el discourse-encrypt instalado generar\u00e1 una advertencia en el panel de administraci\u00f3n de Discourse. Esto se solucion\u00f3 en el commit `9c75810af9` que se incluye en la \u00faltima versi\u00f3n del complemento discourse-encrypt. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los encabezados CSP est\u00e9n habilitados y configurados correctamente."}], "lastModified": "2024-11-21T08:24:33.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse-encrypt:*:*:*:*:*:discourse:*:*", "vulnerable": true, "matchCriteriaId": "F107A6F2-A831-40B8-9052-CE35E247D142", "versionEndExcluding": "2023-09-28"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}