CVE-2023-43659
8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | stable <= 3.1.1 | affected |
| discourse | discourse | beta <= 3.2.0.beta1 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.