PT-2022-20497 · Discourse · Discourse Calendar

Jomaxro

Published

2022-06-14

Updated

2022-06-23

CVE-2022-31059

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Discourse Calendar versions prior to 1.0.1

Description The issue affects the Discourse Calendar plugin for Discourse, an open-source messaging app, where parsing and rendering of Event names can be susceptible to cross-site scripting (XSS) attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy.

Recommendations For versions prior to 1.0.1, update to version 1.0.1 of the Discourse Calendar plugin to resolve the issue. As a temporary workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-31059

GHSA-C783-X9VM-XXP5

Affected Products

Discourse Calendar

PT-2022-20497 · Discourse · Discourse Calendar

CVE-2022-31059

Weakness Enumeration

Related Identifiers

Affected Products

References · 8