Uninvited user is able to join and mark the attendance of the the private event
CVE-2024-26145

6.5MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse-calendar
Vendor: CVE Published:; 21 February 2024

Summary

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolved in commit dfc4fa15f340189f177a1d1ab2cc94ffed3c1190. As a workaround, one may use post visibility to limit access.

Affected Version(s)

discourse-calendar >= 2201b254, < dfc4fa15f340189f177a1d1ab2cc94ffed3c1190

References

https://github.com/discourse/discourse-calendar/security/...

x_refsource_CONFIRM

https://github.com/discourse/discourse-calendar/commit/df...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 14, 2024