5.3

CVE-2024-24817

EPSS 0.23%
Veröffentlicht 22.02.2024 18:15:48
Zuletzt bearbeitet 05.02.2025 21:59:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Calendar Version < 0.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.456

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/discourse/discourse-calendar/commit/84ef46a38cf02748ecacad16c5d9c6fec12dc8da

Patch

https://github.com/discourse/discourse-calendar/security/advisories/GHSA-wwq5-g5cp-c69f

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-24817

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-24817

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-24817

EUVD