Multiple XSS Vulnerabilities in CaLogic Calendars

Summary

Vulnerability
Multiple XSS Vulnerabilities in CaLogic Calendars
Discovered
2006.01.11
Last Update
0 n/a
ID
EV0024
CVE
CVE-2006-0180
Risk Level
medium
Type
Cross Site Scripting
Status
Unpatched
Vendor
n/a
Vulnerable Software
CaLogic Calendars (http://www.calogic.de/)
Version
1.2.2
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in CaLogic Calendars (http://www.calogic.de/) script.

Most of user-defined variables are not properly sanitized. Most user data may contain html tags. Tag <script> is replaced by < script > But this is not enought to prevent posting a script code. User data may contain <iframe> tag.

This can be used to post arbitrary html or script code which will be executed by browser of every visitor.

PoC/Exploit

Example:

Adding New Event page:

Title value: <XSS>

Solution.

Solution for "Multiple XSS Vulnerabilities in CaLogic Calendars" is not available. Check vendor's website for updates.