WebCalendar *format* Cross-Site Scripting Vulnerability

Posted on Tuesday, December 19, 2006 @ 10:50:38 UTC in Security
by Raven

SECUNIA ADVISORY ID: SA23341

VERIFY ADVISORY: http://secunia.com/advisories/23341/

CRITICAL: Less critical

IMPACT: Cross Site Scripting

SOFTWARE:
WebCalendar 1.x - http://secunia.com/product/5606/
WebCalendar 0.9.x - http://secunia.com/product/1901/

DESCRIPTION: 7all has discovered a vulnerability in WebCalendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "format" parameter in export_handler.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. The vulnerability is confirmed in version 1.0.4. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY: 7all
 
 
click Related        click Share
 
News ©

Site Info

Last SeenLast Seen
  • vashd1
  • ofigustavo
Server TrafficServer Traffic
  • Total: 482,334,726
  • Today: 18,928
Server InfoServer Info
  • Apr 19, 2024
  • 12:09 pm UTC
 
 

Site Navigation