Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-43659

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.

Published

2023-10-16T22:15:12.237

Last Modified

2024-11-21T08:24:33.860

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.0 (HIGH)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	discourse	discourse	≤ 3.1.1	Yes
Application	discourse	discourse	3.2.0	Yes

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Third Party Advisory ([email protected])
https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph Vendor Advisory ([email protected])
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)