CVE-2023-43659

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
discoursediscourse
𝑥
≤ 3.1.1
discoursediscourse
3.2.0:beta1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
discoursediscourse
stable ≤
𝑥
≤ 3.1.1
ADP
discoursediscourse
beta ≤
𝑥
≤ 3.2.0.beta1
ADP
Common Weakness Enumeration
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph