What is CVE-2023-43657?

CVE-2023-43657 is a vulnerability in the discourse-encrypt plugin that allows for cross site scripting (XSS) attacks.

What is the severity of CVE-2023-43657?

The severity of CVE-2023-43657 is high, with a severity value of 6.1.

How does CVE-2023-43657 occur?

CVE-2023-43657 occurs due to improper escaping of encrypted topic titles, which can lead to a cross site scripting (XSS) issue.

Where can I find more information about CVE-2023-43657?

More information about CVE-2023-43657 can be found in the references provided: [link1], [link2], [link3].

Vulnerability/
CVE-2023-43657

high

7.2

CWE

28/9/2023

23/9/2024

CVE-2023-43657: Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

Q: How can I fix CVE-2023-43657?

To fix CVE-2023-43657, it is recommended to update to the latest version of the discourse-encrypt plugin and enable Content Security Policy (CSP) headers.

First published: Thu Sep 28 2023(Updated: )

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse Discourse-encrypt	<2023-09-28

Remedy

https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-43657?
CVE-2023-43657 is a vulnerability in the discourse-encrypt plugin that allows for cross site scripting (XSS) attacks.
What is the severity of CVE-2023-43657?
The severity of CVE-2023-43657 is high, with a severity value of 6.1.
How does CVE-2023-43657 occur?
CVE-2023-43657 occurs due to improper escaping of encrypted topic titles, which can lead to a cross site scripting (XSS) issue.
How can I fix CVE-2023-43657?
To fix CVE-2023-43657, it is recommended to update to the latest version of the discourse-encrypt plugin and enable Content Security Policy (CSP) headers.
Where can I find more information about CVE-2023-43657?
More information about CVE-2023-43657 can be found in the references provided: [link1], [link2], [link3].

collector/nvd-api
collector/nvd-index
agent/author
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/weakness
agent/title
agent/references
agent/last-modified-date
agent/first-publish-date
agent/event
agent/description
agent/tags
agent/source
vendor/discourse
canonical/discourse discourse-encrypt

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.