CVE-2023-43657 - Vulnerability Details - OpenCVE

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Discourse	Discourse-encrypt

Configuration 1 [-]

cpe:2.3:a:discourse:discourse-encrypt:*:*:*:*:*:discourse:*:*

No data.

References

Link	Providers
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e
https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v

History

Mon, 23 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:discourse:discourse-encrypt:-:::::discourse::
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-28T18:04:26.672Z

Updated: 2024-09-23T18:21:57.902Z

Reserved: 2023-09-20T15:35:38.148Z

Link: CVE-2023-43657

Vulnrichment

Updated: 2024-08-02T19:44:44.057Z

NVD

Status : Modified

Published: 2023-09-28T19:15:10.547

Modified: 2024-11-21T08:24:33.580

Link: CVE-2023-43657

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-43657", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-20T15:35:38.148Z", "datePublished": "2023-09-28T18:04:26.672Z", "dateUpdated": "2024-09-23T18:21:57.902Z"}, "containers": {"cna": {"title": "Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v"}, {"name": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e"}, {"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["x_refsource_MISC"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}], "affected": [{"vendor": "discourse", "product": "discourse-encrypt", "versions": [{"version": "<= c492904c", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-28T18:04:26.672Z"}, "descriptions": [{"lang": "en", "value": "discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured."}], "source": {"advisory": "GHSA-5fh6-wp7p-xx7v", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:44.057Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v"}, {"name": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e"}, {"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}]}, {"affected": [{"vendor": "discourse", "product": "discourse-encrypt", "cpes": ["cpe:2.3:a:discourse:discourse-encrypt:-:*:*:*:*:discourse:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "c492904c", "versionType": "git"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T18:19:59.485389Z", "id": "CVE-2023-43657", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T18:21:57.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "name": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "name": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:44:44.057Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-43657", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T18:19:59.485389Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:discourse:discourse-encrypt:-:*:*:*:*:discourse:*:*"], "vendor": "discourse", "product": "discourse-encrypt", "versions": [{"status": "affected", "version": "0", "versionType": "git", "lessThanOrEqual": "c492904c"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T18:21:53.380Z"}}], "cna": {"title": "Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration", "source": {"advisory": "GHSA-5fh6-wp7p-xx7v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "discourse", "product": "discourse-encrypt", "versions": [{"status": "affected", "version": "<= c492904c"}]}], "references": [{"url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "name": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "name": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e", "tags": ["x_refsource_MISC"]}, {"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-28T18:04:26.672Z"}}}, "cveMetadata": {"cveId": "CVE-2023-43657", "state": "PUBLISHED", "dateUpdated": "2024-09-23T18:21:57.902Z", "dateReserved": "2023-09-20T15:35:38.148Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-28T18:04:26.672Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse-encrypt:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "F107A6F2-A831-40B8-9052-CE35E247D142", "versionEndExcluding": "2023-09-28", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured."}, {"lang": "es", "value": "discourse-encrypt es un complemento que proporciona un canal de comunicaci\u00f3n seguro a trav\u00e9s de Discourse. El escape inadecuado de los topic titles cifrados podr\u00eda provocar un problema de Cross Site Scripting (XSS) cuando un sitio tiene los encabezados de la pol\u00edtica de seguridad de contenido (CSP) deshabilitados. Tener CSP deshabilitado es una configuraci\u00f3n no predeterminada, y tenerlo deshabilitado con el discourse-encrypt instalado generar\u00e1 una advertencia en el panel de administraci\u00f3n de Discourse. Esto se solucion\u00f3 en el commit `9c75810af9` que se incluye en la \u00faltima versi\u00f3n del complemento discourse-encrypt. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben asegurarse de que los encabezados CSP est\u00e9n habilitados y configurados correctamente."}], "id": "CVE-2023-43657", "lastModified": "2024-11-21T08:24:33.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-28T19:15:10.547", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}