CVE-2023-43658

Name of the Vulnerable Software and Affected Versions discourse-calendar (affected versions not specified)

Description The discourse-calendar plugin for the Discourse messaging platform is affected by an issue where improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. This is a non-default configuration, so the vast majority of sites are unaffected.

Recommendations To resolve the issue, users are advised to upgrade to the latest version of the discourse-calendar plugin. If an upgrade is not possible, users should ensure CSP is enabled on the forum as a temporary workaround.