Home > Vulnerability Database > CVE-2023-43659

Mend.io Vulnerability Database

CVE-2023-43659

Date: October 16, 2023

Discourse is an open source platform for community discussion. Improper escaping of user input allowed for Cross-site Scripting attacks via the digest email preview UI. This issue only affects sites with CSP disabled. This issue has been patched in the 3.1.1 stable release as well as the 3.2.0.beta1 release. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.

Language: Ruby

Severity Score

8.0

Related Resources (4)

Url: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-43659

Url: https://github.com/discourse/discourse/security/advisories/GHSA-g4qg-5q2h-m8ph

Url: https://www.mend.io/vulnerability-database/CVE-2023-43659

Severity Score

8.0

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	8.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-43659

Date: October 16, 2023

Language: Ruby

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?