what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

My Calendar 2.5.16 Cross Site Scripting

My Calendar 2.5.16 Cross Site Scripting
Posted Apr 18, 2018
Authored by Luigi Gubello

My Calendar versions 2.5.16 and below suffer from a stored cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | eb9b27671a24c4e597e9e05a8d4885e435e39a68317a9fef72f37b24c12c4b8c

My Calendar 2.5.16 Cross Site Scripting

Change Mirror Download
An authenticated user, who can add new events,  can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.

In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.

Vulnerability is fixed in My Calendar 2.5.17.

Proof of Concept: https://www.gubello.me/blog/my-calendar-2-5-16-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=OvoEiJd6ggY

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close