CVE-2023-43657

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-43657
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43657.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-43657
Related
  • GHSA-5fh6-wp7p-xx7v
Published
2023-09-28T19:15:10Z
Modified
2025-01-14T20:30:53Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit 9c75810af9 which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

References

Affected packages

Git / github.com/discourse/discourse-encrypt

Affected ranges

Type
GIT
Repo
https://github.com/discourse/discourse-encrypt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed