Discourse-calendar CVE202241913: Private Group Data Exposure via Events
CVE-2022-41913 Published on November 14, 2022

Discourse-calendar exposes members of hidden groups
Discourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Members of private groups or public groups with private members can be listed by users, who can create and edit post events. This vulnerability only affects sites which have discourse post events enabled. This issue has been patched in commit `ca5ae3e7e` which will be included in future releases. Users unable to upgrade should disable the `discourse_post_event_enabled` setting to fully mitigate the issue. Also, it's possible to prevent regular users from using this vulnerability by removing all groups from the `discourse_post_event_allowed_on_groups` but note that moderators will still be able to use it.

NVD

Vulnerability Analysis

CVE-2022-41913 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2022-41913 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2022-41913

stack.watch emails you whenever new vulnerabilities are published in Discourse Calendar or Discourse Calendar. Just hit a watch button to start following.

Discourse Calendar
 
Discourse Calendar
 

Affected Versions

discourse-calendar Version < 0.3 is affected by CVE-2022-41913

Exploit Probability

EPSS
0.20%
Percentile
42.00%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.