3 matches found
CVE-2022-31059
CVE-2022-31059 affects the Discourse Calendar plugin for Discourse. Before version 1.0.1, parsing and rendering of Event names can be vulnerable to cross-site scripting (XSS) attacks when a site has modified or disabled Discourse’s default Content Security Policy. The issue is patched in version ...
CVE-2023-43658
The CVE-2023-43658 entry describes a Cross-Site Scripting (XSS) flaw in the discourse-calendar plugin for the Discourse platform. The issue arises from improper escaping of event titles, which can trigger XSS in the email preview UI when CSP is disabled. This configuration is non-default, so most...
CVE-2024-21658
CVE-2024-21658 affects the discourse-calendar plugin for Discourse. The issue is an overly loose restriction on the region value length, which can cause a Discourse instance to consume excessive bandwidth and disk space. The vulnerability is fixed in the main branch; there are no public workaroun...