← Back to CVE List

CVE-2023-43658

Published: 2023-10-16T22:15Z
Last Modified: 2024-11-21T08:24Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Improper escaping of event titles could lead to Cross-site Scripting (XSS) within the 'email preview' UI when a site has CSP disabled. Having CSP disabled is a non-default configuration, so the vast majority of sites are unaffected. This problem is resolved in the latest version of the discourse-calendar plugin. Users are advised to upgrade. Users unable to upgrade should ensure CSP is enabled on the forum. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt