Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.
References
Configurations
History
18 Sep 2024, 20:25
Type | Values Removed | Values Added |
---|---|---|
First Time |
Discourse
Discourse calendar |
|
CPE | cpe:2.3:a:discourse:calendar:*:*:*:*:*:*:*:* | |
Summary |
|
|
References | () https://github.com/discourse/discourse-calendar/commit/81e1c8e3c4c02276fb890da7e3f684259aeb685c - Patch | |
References | () https://github.com/discourse/discourse-calendar/security/advisories/GHSA-rq37-8pf3-4xc8 - Vendor Advisory |
12 Sep 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-12 19:15
Updated : 2024-09-18 20:25
NVD link : CVE-2024-45303
Mitre link : CVE-2024-45303
CVE.ORG link : CVE-2024-45303
JSON object : View
Products Affected
discourse
- calendar
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')