Dynamic Calendar Plugin Fixes Security Issue
CVE-2024-24817

5.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse-calendar
Vendor: CVE Published:; 22 February 2024

What is CVE-2024-24817?

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind login_required will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

discourse-calendar < 0.4

References

https://github.com/discourse/discourse-calendar/security/...

x_refsource_CONFIRM

https://github.com/discourse/discourse-calendar/commit/84...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 22, 2024
Vulnerability Reserved
Jan 31, 2024

JSON

Discourse

What is CVE-2024-24817?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.