CVE-2024-24817

Name of the Vulnerable Software and Affected Versions Discourse Calendar versions prior to 0.4

Description The issue allows event invitees created in private categories or private messages to be retrieved by anyone, even if they are not logged in. This is a problem with the Discourse Calendar plugin for the open-source discussion platform Discourse. There is no known workaround, but putting the site behind login required can disallow the use of this endpoint by anonymous users. However, logged-in users can still get the list of invitees in private topics.

Recommendations For versions prior to 0.4, update to version 0.4 of the discourse-calendar plugin to resolve the issue. As a temporary workaround, consider putting the site behind login required to disallow the use of the vulnerable endpoint by anonymous users.