CVE-2024-45303

Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.
Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:calendar:*:*:*:*:*:*:*:*

History

18 Sep 2024, 20:25

Type Values Removed Values Added
CPE cpe:2.3:a:discourse:calendar:*:*:*:*:*:*:*:*
First Time Discourse calendar
Discourse
References () https://github.com/discourse/discourse-calendar/commit/81e1c8e3c4c02276fb890da7e3f684259aeb685c - () https://github.com/discourse/discourse-calendar/commit/81e1c8e3c4c02276fb890da7e3f684259aeb685c - Patch
References () https://github.com/discourse/discourse-calendar/security/advisories/GHSA-rq37-8pf3-4xc8 - () https://github.com/discourse/discourse-calendar/security/advisories/GHSA-rq37-8pf3-4xc8 - Vendor Advisory
Summary
  • (es) El complemento Discourse Calendar agrega la capacidad de crear un calendario dinámico en la primera publicación de un tema en Discourse. La representación de los nombres de los eventos puede ser susceptible a ataques XSS. Esta vulnerabilidad solo afecta a los sitios que han modificado o deshabilitado la Política de seguridad de contenido predeterminada de Discourse. El problema se solucionó en la versión 0.5 del complemento Discourse Calendar.

12 Sep 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 19:15

Updated : 2024-09-18 20:25


NVD link : CVE-2024-45303

Mitre link : CVE-2024-45303

CVE.ORG link : CVE-2024-45303


JSON object : View

Products Affected

discourse

  • calendar
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')