CVE-2024-45303 MEDIUM

CVE-2024-45303: Discourse Calendar plugin event names susceptible to XSS

Vendor Discourse
Product discourse-calendar
Weakness CWE-79 · XSS
Published September 12, 2024
Last update September 12, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin.

Key dates

02Disclosure timeline

September 12, 2024 CVE published
September 12, 2024 Record updated