Vulnerabilities > CVE-2024-26145 - Unspecified vulnerability in Discourse Calendar 0.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolved in commit dfc4fa15f340189f177a1d1ab2cc94ffed3c1190. As a workaround, one may use post visibility to limit access.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
References
- https://github.com/discourse/discourse-calendar/commit/dfc4fa15f340189f177a1d1ab2cc94ffed3c1190
- https://github.com/discourse/discourse-calendar/commit/dfc4fa15f340189f177a1d1ab2cc94ffed3c1190
- https://github.com/discourse/discourse-calendar/security/advisories/GHSA-4hh7-6m34-p2jp
- https://github.com/discourse/discourse-calendar/security/advisories/GHSA-4hh7-6m34-p2jp