Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27574
HistoryJan 21, 2012 - 12:00 a.m.

Webcalendar 1.2.4 'location' XSS

2012-01-2100:00:00
vulners.com
20

Exploit Title: Webcalendar 1.2.4 'location' XSS

Date: 01/11/12

Author: G13

Software Link:

https://sourceforge.net/projects/webcalendar/?source=directory

Version: 1.2.5

Category: webapps (php)

Vulnerability

There is no sanitation on the input of the location variable. This
allows malicious scripts to be added. This is a stored XSS

Vendor Notification

01/11/12 - Vendor Notified
01/19/12 - No response, disclosure

Affected Variables

Location=[XSS]

Exploit

The script can be added right in the page, there is no filtering of
input.