CVE-2023-43659: XSS
First published: Mon Oct 16 2023(Updated: )
Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse Discourse | <=3.1.1 | |
| Discourse Discourse | =3.2.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-43659?
CVE-2023-43659 is a vulnerability in Discourse that allows for Cross-site Scripting attacks via the digest email preview UI.
What software versions are affected by CVE-2023-43659?
CVE-2023-43659 affects Discourse versions up to and including 3.1.1 and version 3.2.0-beta1.
How severe is CVE-2023-43659?
CVE-2023-43659 has a severity rating of 5.4 (high).
How can I fix CVE-2023-43659?
To fix CVE-2023-43659, update your Discourse instance to the 3.1.1 stable release or the 3.2.0.beta1 release.
What is Cross-site Scripting (XSS)?
Cross-site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
- collector/nvd-api
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/event
- agent/weakness
- agent/type
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/discourse
- canonical/discourse discourse
- version/discourse discourse/3.1.1
- version/discourse discourse/3.2.0-beta1