CVE-2022-31059
Last modified
CVE-2022-31059 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Discourse Calendar is a calendar plugin for Discourse, an open-source messaging app. Prior to version 1.0.1, parsing and rendering of Event names can be susceptible to cross-site scripting (XSS) attacks. EPSS estimates a 0.69% chance of exploitation in the next 30 days.
Description
Discourse Calendar is a calendar plugin for Discourse, an open-source messaging app. Prior to version 1.0.1, parsing and rendering of Event names can be susceptible to cross-site scripting (XSS) attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. This issue is patched in version 1.0.1 of the Discourse Calendar plugin. As a workaround, ensure that the Content Security Policy is enabled, and has not been modified in a way which would make it more vulnerable to XSS attacks.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse Calendar | < 1.0.1 |
References
- https://github.com/discourse/discourse-calendar/commit/2719b9e81994e961bf8c4e12b4556dc9777dd62fPatch, Third Party Advisory
- https://github.com/discourse/discourse-calendar/pull/280Issue Tracking, Patch, Third Party Advisory
- https://github.com/discourse/discourse-calendar/commit/2719b9e81994e961bf8c4e12b4556dc9777dd62fPatch, Third Party Advisory
- https://github.com/discourse/discourse-calendar/pull/280Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-31059?
How severe is CVE-2022-31059?
How do I fix CVE-2022-31059?
Are you affected by CVE-2022-31059?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST