CVE-2022-41913 – Discourse-calendar exposes members of hidden groups
https://notcve.org/view.php?id=CVE-2022-41913
Discourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Members of private groups or public groups with private members can be listed by users, who can create and edit post events. This vulnerability only affects sites which have discourse post events enabled. This issue has been patched in commit `ca5ae3e7e` which will be included in future releases. Users unable to upgrade should disable the `discourse_post_event_enabled` setting to fully mitigate the issue. • https://github.com/discourse/discourse-calendar/commit/ca5ae3e7e0c2b32af5ca4ec69c95e95b2ecef2e9 https://github.com/discourse/discourse-calendar/security/advisories/GHSA-jh96-w279-g7r9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-27617
https://notcve.org/view.php?id=CVE-2022-27617
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors. Una limitación inapropiada de un nombre de ruta a un directorio restringido ("Salto de Ruta") es una vulnerabilidad del componente webapi en Synology Calendar versiones anteriores a 2.3.4-0631, que permite a usuarios remotos autenticados descargar archivos arbitrarios por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_07 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-22686
https://notcve.org/view.php?id=CVE-2022-22686
Cross-Site Request Forgery (CSRF) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el componente webapi de Synology Calendar versiones anteriores a 2.3.4-0631, permite a usuarios remotos autenticados secuestrar la autenticación de los administradores por medio de vectores no especificados. • https://www.synology.com/security/advisory/Synology_SA_20_07 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-22682
https://notcve.org/view.php?id=CVE-2022-22682
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Event Management in Synology Calendar before 2.4.5-10930 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Una neutralización inapropiada de la entrada durante la generación de páginas web ("Cross-site Scripting") es una vulnerabilidad en la administración de eventos en Synology Calendar versiones anteriores a 2.4.5-10930, que permite a usuarios remotos autenticados inyectar scripts web o HTML arbitrarios por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_22_07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-33705
https://notcve.org/view.php?id=CVE-2022-33705
Information exposure in Calendar prior to version 12.3.05.10000 allows attacker to access calendar schedule without READ_CALENDAR permission. Una exposición de información en Calendar versiones anteriores a 12.3.05.10000, permite a un atacante acceder a la programación del calendario sin el permiso READ_CALENDAR • https://security.samsungmobile.com/serviceWeb.smsb?year==2022&month=07 • CWE-285: Improper Authorization •