discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-09-28T18:04:26.672Z
Updated: 2024-08-02T19:44:44.057Z
Reserved: 2023-09-20T15:35:38.148Z
Link: CVE-2023-43657
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-09-28T19:15:10.547
Modified: 2023-10-02T20:15:53.177
Link: CVE-2023-43657
Redhat
No data.