PHP-Nuke Event Calendar Module Comments Field XSS

2004-11-16T08:19:37
ID OSVDB:11883
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-11-16T08:19:37

Description

Vulnerability Description

PHP-Nuke Event Calendar contains a flaw that will allow an attacker to inject arbitrary script. The problem is that the field "event comment" does not suffiiciently sanitize variable, which will allow an attacker to inject arbitrary javascript code.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP-Nuke Event Calendar contains a flaw that will allow an attacker to inject arbitrary script. The problem is that the field "event comment" does not suffiiciently sanitize variable, which will allow an attacker to inject arbitrary javascript code.

References:

Vendor URL: http://phpnuke.holbrookau.net/ Security Tracker: 1012245 Secunia Advisory ID:13213 Related OSVDB ID: 11879 Related OSVDB ID: 11880 Related OSVDB ID: 11881 Related OSVDB ID: 11884 Related OSVDB ID: 11885 Related OSVDB ID: 11882 Other Advisory URL: http://www.waraxe.us/index.php?modname=sa&id=38 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0204.html CVE-2004-1529