Skip to content
This repository was archived by the owner on Jul 15, 2025. It is now read-only.

Calendar event names susceptible to XSS

Moderate
pmusaraj published GHSA-rq37-8pf3-4xc8 Sep 12, 2024

Package

Calendar plugin (Discourse)

Affected versions

<=0.4

Patched versions

>=0.5

Description

Impact

Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy.

Patches

The issue is patched in version 0.5 of the Discourse Calendar plugin.

Workarounds

Ensure that the setting content_security_policy is enabled and has not been modified in a way which would make it more vulnerable to XSS attacks.

References

Mitigate XSS attacks with Content Security Policy

Severity

Moderate

CVE ID

CVE-2024-45303

Weaknesses

No CWEs