Description
dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/discourse/discourse-calendar/security/advisories/GHSA-3fwj-f6ww-7hr6
Patch x_refsource_misc
https://github.com/discourse/discourse-calendar/commit/9788310906febb36822d6823d14f1059c39644de
Third Party Advisory x_refsource_misc
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Scores
CVSS v3
8.0
EPSS
0.0057
EPSS Percentile
68.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
discourse/discourse_calendar
< 2023-10-16
Published
Oct 16, 2023
Tracked Since
Feb 18, 2026