CVE-2023-43657
- Source
- https://cve.org/CVERecord?id=CVE-2023-43657
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-43657.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-43657
- Aliases
-
- GHSA-5fh6-wp7p-xx7v
- Published
- 2023-09-28T18:04:26.672Z
- Modified
- 2025-11-29T14:42:27.662531Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration
- Details
-
discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit
9c75810af9which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43657.json", "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M" }- References
-
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43657.json
- https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e
- https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v
- https://nvd.nist.gov/vuln/detail/CVE-2023-43657