ID OSVDB:3623 Type osvdb Reporter OSVDB Modified 2003-09-04T09:31:48
Description
Vulnerability Description
WebCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "eventinfo" variable upon submission to the month.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
WebCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "eventinfo" variable upon submission to the month.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Vendor URL: http://webcalendar.sourceforge.net/
Secunia Advisory ID:9672
Other Advisory URL: http://nocon.darkflame.net/CSS/Wecalendar.txt
Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html
ISS X-Force ID: 13094
Bugtraq ID: 8539
{"edition": 1, "title": "WebCalendar month.php eventinfo XSS", "bulletinFamily": "software", "published": "2003-09-04T09:31:48", "lastseen": "2017-04-28T13:19:58", "modified": "2003-09-04T09:31:48", "reporter": "OSVDB", "viewCount": 2, "href": "https://vulners.com/osvdb/OSVDB:3623", "description": "## Vulnerability Description\nWebCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"eventinfo\" variable upon submission to the month.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nWebCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"eventinfo\" variable upon submission to the month.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://www.host.name/webcalendar/month.php?eventinfo=<script>alert(document.cookie)</script>\n## References:\nVendor URL: http://webcalendar.sourceforge.net/\n[Secunia Advisory ID:9672](https://secuniaresearch.flexerasoftware.com/advisories/9672/)\nOther Advisory URL: http://nocon.darkflame.net/CSS/Wecalendar.txt\nOther Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html\nISS X-Force ID: 13094\nBugtraq ID: 8539\n", "affectedSoftware": [{"name": "WebCalendar", "version": "0.9.42", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.3x", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.41", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.19", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.8", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.40", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.11", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.2x", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.16", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.15", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2017-04-28T13:19:58", "rev": 2}, "dependencies": {"references": [], "modified": "2017-04-28T13:19:58", "rev": 2}, "vulnersScore": -0.3}, "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "OSVDB:3623"}