Discourse Calendar
CVE-2024-21658
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionNVD
discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.
AnalysisAI
discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible. Affected products include: Discourse Discourse Calendar.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
More in Discourse Calendar
View alldicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar i
Discourse Calendar is a calendar plugin for Discourse, an open-source messaging app. Rated medium severity (CVSS 5.4), t
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today