Lucene search

GitHub_MCVELIST:CVE-2023-43658

HistoryOct 16, 2023 - 9:28 p.m.

CVE-2023-43658 Improper escaping of user input in discourse-calendar

2023-10-1621:28:57

CWE-79

GitHub_M

www.cve.org

discourse-calendar

user input

cross-site scripting

email preview

csp

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

24.2%

JSON

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the ‘email preview’ UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-calendar",
    "versions": [
      {
        "version": "< 97883109",
        "status": "affected"
      }
    ]
  }
]

References

developer.mozilla.org/en-US/docs/Web/HTTP/CSP

github.com/discourse/discourse-calendar/commit/9788310906febb36822d6823d14f1059c39644de

github.com/discourse/discourse-calendar/security/advisories/GHSA-3fwj-f6ww-7hr6

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

24.2%

JSON

Related for CVELIST:CVE-2023-43658