CVE-2024-24817 — MEDIUM (4.3)

Q: How severe is CVE-2024-24817?

CVE-2024-24817 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-24817?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Calendar.

Vulnerability Description

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Discourse	Calendar	< 0.4

Related Weaknesses (CWE)

CWE-200

References

FAQ

What is CVE-2024-24817?

CVE-2024-24817 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics i...

How severe is CVE-2024-24817?

CVE-2024-24817 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-24817?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Calendar.