CVE-2022-31059

Published: Jun 14, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Discourse Calendar is a calendar plugin for Discourse, an open-source messaging app. Prior to version 1.0.1, parsing and rendering of Event names can be susceptible to cross-site scripting (XSS) attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in version 1.0.1 of the Discourse Calendar plugin. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.

Vendor	Product	Versions
discourse	discourse-calendar	affected `< 1.0.1`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/discourse/discourse-calendar/security/advisories/GHSA-c783-x9vm-xxp5

x_refsource_CONFIRM

https://github.com/discourse/discourse-calendar/pull/280

x_refsource_MISC

https://github.com/discourse/discourse-calendar/commit/2719b9e81994e961bf8c4e12b4556dc9777dd62f

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-31059

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References