CVE-2024-45303

Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.
Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:calendar:*:*:*:*:*:*:*:*

History

18 Sep 2024, 20:25

Type Values Removed Values Added
First Time Discourse
Discourse calendar
CPE cpe:2.3:a:discourse:calendar:*:*:*:*:*:*:*:*
Summary
  • (es) El complemento Discourse Calendar agrega la capacidad de crear un calendario dinámico en la primera publicación de un tema en Discourse. La representación de los nombres de los eventos puede ser susceptible a ataques XSS. Esta vulnerabilidad solo afecta a los sitios que han modificado o deshabilitado la Política de seguridad de contenido predeterminada de Discourse. El problema se solucionó en la versión 0.5 del complemento Discourse Calendar.
References () https://github.com/discourse/discourse-calendar/commit/81e1c8e3c4c02276fb890da7e3f684259aeb685c - () https://github.com/discourse/discourse-calendar/commit/81e1c8e3c4c02276fb890da7e3f684259aeb685c - Patch
References () https://github.com/discourse/discourse-calendar/security/advisories/GHSA-rq37-8pf3-4xc8 - () https://github.com/discourse/discourse-calendar/security/advisories/GHSA-rq37-8pf3-4xc8 - Vendor Advisory

12 Sep 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 19:15

Updated : 2024-09-18 20:25


NVD link : CVE-2024-45303

Mitre link : CVE-2024-45303

CVE.ORG link : CVE-2024-45303


JSON object : View

Products Affected

discourse

  • calendar
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')