CVE-2022-41913

Discourse-calendar exposes members of hidden groups

Description

Discourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Members of private groups or public groups with private members can be listed by users, who can create and edit post events. This vulnerability only affects sites which have discourse post events enabled. This issue has been patched in commit `ca5ae3e7e` which will be included in future releases. Users unable to upgrade should disable the `discourse_post_event_enabled` setting to fully mitigate the issue. Also, it's possible to prevent regular users from using this vulnerability by removing all groups from the `discourse_post_event_allowed_on_groups` but note that moderators will still be able to use it.

Category

4.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.08%
Third-Party Advisory github.com Third-Party Advisory github.com
Affected: discourse discourse-calendar
Published at:
Updated at:

References

Link Tags
https://github.com/discourse/discourse-calendar/security/advisories/GHSA-jh96-w279-g7r9 third party advisory
https://github.com/discourse/discourse-calendar/commit/ca5ae3e7e0c2b32af5ca4ec69c95e95b2ecef2e9 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-41913?
CVE-2022-41913 has been scored as a medium severity vulnerability.
How to fix CVE-2022-41913?
To fix CVE-2022-41913, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-41913 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-41913 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-41913?
CVE-2022-41913 affects discourse discourse-calendar.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.