Vulnerability Details CVE-2023-43658
dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.2%
CVSS Severity
CVSS v3 Score 8.0
References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://github.com/discourse/discourse-calendar/commit/9788310906febb36822d6823d14f1059c39644de
- https://github.com/discourse/discourse-calendar/security/advisories/GHSA-3fwj-f6ww-7hr6
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://github.com/discourse/discourse-calendar/commit/9788310906febb36822d6823d14f1059c39644de
- https://github.com/discourse/discourse-calendar/security/advisories/GHSA-3fwj-f6ww-7hr6
Products affected by CVE-2023-43658
-
cpe:2.3:a:discourse:discourse_calendar:-
-
cpe:2.3:a:discourse:discourse_calendar:1.0.0
-
cpe:2.3:a:discourse:discourse_calendar:1.0.1