Lucene search

GitHub_MCVELIST:CVE-2024-26145

HistoryFeb 21, 2024 - 5:19 p.m.

CVE-2024-26145 Uninvited user is able to join and mark the attendance of the the private event

2024-02-2117:19:11

CWE-863

GitHub_M

www.cve.org

cve-2024-26145

discourse calendar

dynamic calendar

private events

attendance update

security patch

post visibility.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolved in commit dfc4fa15f340189f177a1d1ab2cc94ffed3c1190. As a workaround, one may use post visibility to limit access.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-calendar",
    "versions": [
      {
        "version": ">= 2201b254, < dfc4fa15f340189f177a1d1ab2cc94ffed3c1190",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse-calendar/commit/dfc4fa15f340189f177a1d1ab2cc94ffed3c1190

github.com/discourse/discourse-calendar/security/advisories/GHSA-4hh7-6m34-p2jp

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-26145