CVE-2023-43657 (GCVE-0-2023-43657)
Vulnerability from cvelistv5 – Published: 2023-09-28 18:04 – Updated: 2024-09-23 18:21
VLAI
Title
Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration
Summary
discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse-encrypt/se… | x_refsource_CONFIRM |
| https://github.com/discourse/discourse-encrypt/co… | x_refsource_MISC |
| https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| discourse | discourse-encrypt |
Affected:
<= c492904c
|
|
| discourse | discourse-encrypt |
Affected:
0 , ≤ c492904c
(git)
cpe:2.3:a:discourse:discourse-encrypt:-:*:*:*:*:discourse:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:44.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v"
},
{
"name": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:discourse:discourse-encrypt:-:*:*:*:*:discourse:*:*"
],
"defaultStatus": "unknown",
"product": "discourse-encrypt",
"vendor": "discourse",
"versions": [
{
"lessThanOrEqual": "c492904c",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T18:19:59.485389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T18:21:57.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse-encrypt",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c= c492904c"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T18:04:26.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v"
},
{
"name": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"
}
],
"source": {
"advisory": "GHSA-5fh6-wp7p-xx7v",
"discovery": "UNKNOWN"
},
"title": "Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43657",
"datePublished": "2023-09-28T18:04:26.672Z",
"dateReserved": "2023-09-20T15:35:38.148Z",
"dateUpdated": "2024-09-23T18:21:57.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-43657",
"date": "2026-06-05",
"epss": "0.00412",
"percentile": "0.61849"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-43657\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-28T19:15:10.547\",\"lastModified\":\"2024-11-21T08:24:33.580\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.\"},{\"lang\":\"es\",\"value\":\"discourse-encrypt es un complemento que proporciona un canal de comunicaci\u00f3n seguro a trav\u00e9s de Discourse. El escape inadecuado de los topic titles cifrados podr\u00eda provocar un problema de Cross Site Scripting (XSS) cuando un sitio tiene los encabezados de la pol\u00edtica de seguridad de contenido (CSP) deshabilitados. Tener CSP deshabilitado es una configuraci\u00f3n no predeterminada, y tenerlo deshabilitado con el discourse-encrypt instalado generar\u00e1 una advertencia en el panel de administraci\u00f3n de Discourse. Esto se solucion\u00f3 en el commit `9c75810af9` que se incluye en la \u00faltima versi\u00f3n del complemento discourse-encrypt. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los encabezados CSP est\u00e9n habilitados y configurados correctamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse-encrypt:*:*:*:*:*:discourse:*:*\",\"versionEndExcluding\":\"2023-09-28\",\"matchCriteriaId\":\"F107A6F2-A831-40B8-9052-CE35E247D142\"}]}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v\", \"name\": \"https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e\", \"name\": \"https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:44:44.057Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43657\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-23T18:19:59.485389Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:discourse:discourse-encrypt:-:*:*:*:*:discourse:*:*\"], \"vendor\": \"discourse\", \"product\": \"discourse-encrypt\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"git\", \"lessThanOrEqual\": \"c492904c\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-23T18:21:53.380Z\"}}], \"cna\": {\"title\": \"Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration\", \"source\": {\"advisory\": \"GHSA-5fh6-wp7p-xx7v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"discourse\", \"product\": \"discourse-encrypt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= c492904c\"}]}], \"references\": [{\"url\": \"https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v\", \"name\": \"https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e\", \"name\": \"https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-28T18:04:26.672Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-43657\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-23T18:21:57.902Z\", \"dateReserved\": \"2023-09-20T15:35:38.148Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-28T18:04:26.672Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…