Dynamic Calendar Plugin Fixes Security Issue
CVE-2024-24817

4.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse-calendar
Vendor: CVE Published:; 22 February 2024

Summary

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind login_required will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.

Affected Version(s)

discourse-calendar < 0.4

References

https://github.com/discourse/discourse-calendar/security/...

x_refsource_CONFIRM

https://github.com/discourse/discourse-calendar/commit/84...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 22, 2024
Vulnerability Reserved
Jan 31, 2024