{"edition": 1, "title": "WebCalendar month.php eventinfo XSS", "bulletinFamily": "software", "published": "2003-09-04T09:31:48", "lastseen": "2017-04-28T13:19:58", "history": [], "modified": "2003-09-04T09:31:48", "reporter": "OSVDB", "hash": "f8bcdd59056fb2d590c760d4e564c3b38005675ea55fbec310187fd1e9d35e95", "viewCount": 0, "href": "https://vulners.com/osvdb/OSVDB:3623", "description": "## Vulnerability Description\nWebCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"eventinfo\" variable upon submission to the month.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nWebCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"eventinfo\" variable upon submission to the month.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://www.host.name/webcalendar/month.php?eventinfo=<script>alert(document.cookie)</script>\n## References:\nVendor URL: http://webcalendar.sourceforge.net/\n[Secunia Advisory ID:9672](https://secuniaresearch.flexerasoftware.com/advisories/9672/)\nOther Advisory URL: http://nocon.darkflame.net/CSS/Wecalendar.txt\nOther Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-09/0051.html\nISS X-Force ID: 13094\nBugtraq ID: 8539\n", "affectedSoftware": [{"name": "WebCalendar", "version": "0.9.42", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.3x", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.41", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.19", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.8", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.40", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.11", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.2x", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.16", "operator": "eq"}, {"name": "WebCalendar", "version": "0.9.15", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "72e8e2a4029a47a51bd369a04b5dd7ae"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "072e761d3328bc3e839d16ba71cb3326"}, {"key": "href", "hash": "1d001d96ca2136af26d5965c2728ad0a"}, {"key": "modified", "hash": "81c31fd556404f70e5ed8a8236101635"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "81c31fd556404f70e5ed8a8236101635"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "8ff1c7940e071b8a4457c5cb437852ca"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 4.3}, "vulnersScore": 4.3}, "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "OSVDB:3623"}

{}