CVE-2023-43658

CVSS V2 None CVSS V3 None
Description
dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum.
Overview
  • CVE ID
  • CVE-2023-43658
  • Assigner
  • GitHub_M
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2023-10-16T21:28:57.341Z
  • Last Modified Date
  • 2023-10-16T21:28:57.341Z
History
Created Old Value New Value Data Type Notes
2024-06-25 16:07:12 Added to TrackCVE