CVE-2023-43657

Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration

Description

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

Category

7.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.41%
Vendor Advisory github.com
Affected: discourse discourse-encrypt
Published at:
Updated at:

References

Link Tags
https://github.com/discourse/discourse-encrypt/security/advisories/GHSA-5fh6-wp7p-xx7v vendor advisory
https://github.com/discourse/discourse-encrypt/commit/9c75810af9a474d7edaec67dea66f852c0ba1f4e patch
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP product

Frequently Asked Questions

What is the severity of CVE-2023-43657?
CVE-2023-43657 has been scored as a high severity vulnerability.
How to fix CVE-2023-43657?
To fix CVE-2023-43657, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-43657 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-43657 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-43657?
CVE-2023-43657 affects discourse discourse-encrypt.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.