Multiple XSS Vulnerabilities in CaLogic Calendars
Summary
- Vulnerability
- Multiple XSS Vulnerabilities in CaLogic Calendars
- Discovered
- 2006.01.11
- Last Update
- 0 n/a
- ID
- EV0024
- CVE
- CVE-2006-0180
- Risk Level
- medium
- Type
- Cross Site Scripting
- Status
- Unpatched
- Vendor
- n/a
- Vulnerable Software
- CaLogic Calendars (http://www.calogic.de/)
- Version
- 1.2.2
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Cross Site Scripting found in CaLogic Calendars (http://www.calogic.de/) script.
Most of user-defined variables are not properly sanitized. Most user data may contain html tags. Tag <script> is replaced by < script > But this is not enought to prevent posting a script code. User data may contain <iframe> tag.
This can be used to post arbitrary html or script code which will be executed by browser of every visitor.
PoC/Exploit
Example:
Adding New Event page:
Title value: <XSS>
Solution.
Solution for "Multiple XSS Vulnerabilities in CaLogic Calendars" is not available. Check vendor's website for updates.