Improper escaping of user input in discourse-calendar
CVE-2023-43658

8HIGH

Key Information:

Vendor
Discourse
Status
Discourse-calendar
Vendor
CVE Published:
16 October 2023

Summary

The Discourse Calendar plugin for Discourse messaging platform is susceptible to Cross-site Scripting (XSS) due to improper escaping of event titles in the email preview interface, especially when Content Security Policy (CSP) is disabled. Although this typically affects a minority of users as CSP is not a default setting, it is crucial for site administrators to upgrade to the latest version of the plugin to mitigate potential risks. For those unable to perform an upgrade, enabling CSP on their forums is strongly advised to enhance security. Further details and patches can be accessed through the provided source links.

Affected Version(s)

discourse-calendar < 97883109

References

https://github.com/discourse/discourse-calendar/security/...
x_refsource_CONFIRM
https://github.com/discourse/discourse-calendar/commit/97...
x_refsource_MISC
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.