CVE-2022-41913 Discourse-calendar adds calendar functionality to the first post of a topic.

Discourse recommends users enable the `discourse_post_event_enabled` setting, which forces Discourse to allow the creation of post events. This setting can be found in the `settings/general` menu, under the `post_event_enabled` subheading. Users who cannot enable the setting or who want to further mitigate the issue can deactivate the `discourse_post_event_enabled` setting for all groups, as it can be done for all groups using the `discourse_post_event_allowed_on_groups` setting. This can be done by going to the group settings and setting the `discourse_post_event_enabled` setting to `false`.

CVE-2023-41929

Discourse recommends users enable the `discourse_post_event_enabled` setting, which forces Discourse to allow the creation of post events. This setting can be found in the `settings/general` menu, under the `post_event_enabled` subheading. Users who cannot enable the setting or who want to further mitigate the issue can deactivate the `discourse_post_event_enabled` setting for all groups, as it can be done for all groups using the `discourse_post_event_allowed_on_groups` setting. This can be done by going to the group settings and setting the `discourse_post_event_enabled` option to `false`.

Discourse Vulnerability Symptoms

The vulnerability might cause an attack to occur when a user visits a page in the affected group, or it might provide an unauthorized user with access to data on the site.

Discourse recommends users enable the `discourse_post_event_enabled` setting, which forces Discourse to allow the creation of post events. This setting can be found in the `settings/general` menu, under the `post_event_enabled` subheading. Users who cannot enable the setting or who want to further mitigate the issue can deactivate the `discourse_post_event_enabled` setting for all groups, as it can be done for all groups using the `discourse_post_event_allowed_on_groups` setting. This can be done by going to the group settings and setting the `discourse_post_event_enabled` setting to `false`.

Discourse Post Event Vulnerability - CVE-2022-41914

Discourse is a free and open-source, web-based discussion platform that is built on the Ruby on Rails framework. Discourse provides an easy way for people to engage in conversations about topics of interest, ranging from politics to sports to science. Discourse includes features such as user profiles, private messaging, custom domains, and various customization options.
The vulnerability allows a malicious user to create a post event without any approval from the administrator or moderators. This can be done by running the following query within the `/admin` namespace:

```ruby
PostEventCreate(false)
```
This can be done by performing this query in any other namespace with `discourse_post_event_allowed_on_groups` set to false. The vulnerability allows users who are not administrators or moderators to create a post event and use it for malicious purposes in the future. The vulnerability will allow users who are not administrators or moderators to create posts which can cause unwanted side effects such as spamming and trolling.

Discourse CMS Version and Operating System

Discourse version 3.0.3 and later are vulnerable to a cross-site scripting (XSS) attack when post events are enabled. Discourse recommends users enable the `discourse_post_event_enabled` setting, which forces Discourse to allow the creation of post events. Users who cannot enable the setting or who want to further mitigate the issue can deactivate the `discourse_post_event_enabled` setting for all groups, as it can be done for all groups using the `discourse_post_event_allowed_on_groups` setting. This can be done by going to the group settings and setting the `discourse_post_event_enabled` setting to `false`.

Discourse recommends users enable the `discourse_post_event_enabled` setting .

Discourse recommends users enable the `discourse_post_event_enabled` setting, which forces Discourse to allow the creation of post events. This setting can be found in the `settings/general` menu, under the `post_event_enabled` subheading. Discourse provides a way for users to manage which posts can have events attached to them by default.
Users who cannot enable the setting or who want to further mitigate the issue can deactivate the `discourse_post_event_enabled` setting for all groups, as it can be done for all groups using the `discourse_post_event_allowed_on_groups` setting. This can be done by going to the group settings and setting the `discourse_post_event_enabled` setting to `false`.

Timeline

Published on: 11/14/2022 21:15:00 UTC
Last modified on: 11/17/2022 19:40:00 UTC

References

• https://github.com/discourse/discourse-calendar/security/advisories/GHSA-jh96-w279-g7r9
• https://github.com/discourse/discourse-calendar/commit/ca5ae3e7e0c2b32af5ca4ec69c95e95b2ecef2e9
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41913