Products
discourse-calendar
- UNKNOWN
Source
security-advisories@github.com
Tags
CVE-2024-21658 details
Published : Aug. 30, 2024, 6:15 p.m.
Last Modified : Aug. 30, 2024, 6:15 p.m.
Last Modified : Aug. 30, 2024, 6:15 p.m.
Description
discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.
CVSS Score
| 1 | 2 | 3 | 4.3 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-400 | Uncontrolled Resource Consumption | The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
Base Score
4.3
Exploitability Score
2.8
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
References
| URL | Source |
|---|---|
| https://github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9ghp-x8h8 | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.