Lucene search

[email protected]NVD:CVE-2023-43659

HistoryOct 16, 2023 - 10:15 p.m.

CVE-2023-43659

2023-10-1622:15:12

CWE-79

[email protected]

web.nvd.nist.gov

discourse

community discussion platform

cross-site scripting

cve-2023-43659

csp

patch

upgrade

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.1%

JSON

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.

Affected configurations

NVD

Node

discoursediscourseRange≤3.1.1stable

discoursediscourseMatch3.2.0beta1beta

References

developer.mozilla.org/en-US/docs/Web/HTTP/CSP

github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph