CVE-2023-43659

Published: Oct 16, 2023Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.

Affected (2)

Products: Discourse: Discourse

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Up to 3.1.1
Discourse Discourse	Version 3.2.0 beta1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Source: security-advisories@github.com

Third Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph

Source: security-advisories@github.com

Vendor Advisory

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.