================================================================
Celoxis <= 9.5 - Cross Site Scripting (XSS)
================================================================

Information
--------------------
Name: Celoxis <= 9.5 - Cross Site Scripting (XSS)
Affected Software : Celoxis
Affected Versions: <= 9.5
Vendor Homepage : http://www.celoxis.com
Vulnerability Type : Cross Site Scripting
Severity : Low
CVE: n/a


Product
--------------------
Celoxis is a web-based project management software.


Description
--------------------
Exist a vulnerability in the calendar.wm that allow an attacker execute 
arbitrary javascript in the browser context of a victim. Also, the 
attacker could steal the cookie because it is not being protected by 
HTTPOnly flag and is possible avoid the filters with the eval function.


Proof of Concept URL
--------------------
https://celoxisSite/psa/cal.Calendar.wm?p_ca_date=<script>alert("XSS")</script>


Advisory Timeline
--------------------

08/10/2015 - Informed Vendor about Issue
08/10/2015 - Vendor responded
12/11/2015 - Reminded Vendor
14/11/2015 - Vendor responded saying 'they changed the framework itself 
to handle XSS'.
23/11/2015 - Fix released (vendor informed us)
23/11/2015 - Vulnerability published


Credits & Authors
--------------------
Manuel Mancera (@sinkmanu)

www.a2secure.com


Disclaimer
-------------------
All information is provided without warranty. The intent is to provide
information to secure infrastructure and/or systems, not to be able to
attack or damage. Therefore A2Secure shall not be liable for any direct
or indirect damages that might be caused by using this information.