CVE-2024-21658 — MEDIUM (4.3)

Q: How severe is CVE-2024-21658?

CVE-2024-21658 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-21658?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse Calendar.

Vulnerability Description

discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Discourse	Discourse Calendar	< 2024-08-28

Related Weaknesses (CWE)

CWE-770 CWE-400

References

https://github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9gVendor Advisory

FAQ

What is CVE-2024-21658?

CVE-2024-21658 is a vulnerability with a CVSS score of 4.3 (MEDIUM). discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious act...

How severe is CVE-2024-21658?

CVE-2024-21658 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-21658?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse Calendar.