CVE-2023-43657

2023-09-2819:15:10

CWE-79

[email protected]

web.nvd.nist.gov

discourse-encrypt

secure communication

xss

csp

upgrade

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

20.4%

JSON

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit 9c75810af9 which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

Affected configurations

NVD

Node

discoursediscourse-encryptRange<2023-09-28discourse

CPENameOperatorVersion
discourse:discourse-encryptdiscourse discourse-encryptlt2023-09-28

CPE	Name	Operator	Version
discourse:discourse-encrypt	discourse discourse-encrypt	lt	2023-09-28

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-encrypt",
    "versions": [
      {
        "version": "<= c492904c",
        "status": "affected"
      }
    ]
  }
]