CVE-2022-41913

Name of the Vulnerable Software and Affected Versions Discourse-calendar (affected versions not specified)

Description The Discourse-calendar plugin for the Discourse messaging platform is affected by an issue that allows users to list members of private groups or public groups with private members, and create and edit post events. This issue only affects sites with discourse post events enabled. The issue has been patched in a commit, which will be included in future releases.

Recommendations To fully mitigate the issue, users unable to upgrade should disable the discourse post event enabled setting. As a temporary workaround, it's possible to prevent regular users from using this vulnerability by removing all groups from the discourse post event allowed on groups, but note that moderators will still be able to use it.