CVE-2023-43658

Improper escaping of user input in discourse-calendar

CVSS 8 HIGHEPSS 0.5%CWE-79

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 out 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Produtos afetados

discourse · discourse-calendar

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://github.com/discourse/discourse-calendar/commit/9788310906febb36822d6823d14f1059c39644de https://github.com/discourse/discourse-calendar/security/advisories/GHSA-3fwj-f6ww-7hr6