Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

os2a_1007.txt

🗓️ 14 Sep 2006 00:00:00Reported by NR NandiniType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

PHP Event Calendar has a cross-site scripting vulnerability requiring authentication for exploitation.

Code
`PHP Event Calendar Multiple Parameter Cross Site Scripting Vulnerability  
  
  
OS2A ID: OS2A_1007 Status:  
08/20/2006 Issue Discovered  
09/06/2006 Reported to the Vendor  
09/09/2006 Fixed by Vendor  
09/13/2006 Advisory Released  
  
  
Class: Cross Site Scripting Severity: Low  
  
  
Overview:  
---------  
PHP Event Calendar is a reusable PHP script that extends a web site's  
functionality with an event scheduler and/or news archive.  
http://www.softcomplex.com/products/php_event_calendar/  
  
Description:  
------------  
A cross-site scripting vulnerability exists in PHP Event Calendar, due to input  
validation error in parameters tilte(ti), body(bi) and backgroung Image(cbgi)  
in cl_files/index.php page when adding a new event.  
  
Successful exploitation requires authentication.  
  
Impact:  
-------  
An authenticated remote attacker could inject malicious HTML and script code in  
other user's browser session within the security context of the affected site.  
  
Affected Software(s):  
---------------------  
PHP Event Calendar 1.5.1 (prior versions may also be vulnerable)  
  
Proof of Concept:  
-----------------  
http://www.yoursite.com/directory_where_you_installed_php_event_calendar/cl_files/index.php  
Vulnerable fields: title field - ti  
body field - bi  
Backgroung Image - cbgi   
  
Insert "<script>alert('XSS Vulnerable');</script>" in above field and click  
"Add event".  
  
CVSS Score Report:  
-----------------  
ACCESS_VECTOR = REMOTE  
ACCESS_COMPLEXITY = LOW  
AUTHENTICATION = REQUIRED  
CONFIDENTIALITY_IMPACT = NONE  
INTEGRITY_IMPACT = PARTIAL  
AVAILABILITY_IMPACT = NONE  
IMPACT_BIAS = INTEGRITY  
EXPLOITABILITY = PROOF_OF_CONCEPT  
REMEDIATION_LEVEL = OFFICIAL_FIX  
REPORT_CONFIDENCE = CONFIRMED  
CVSS Base Score = 2.1 (AV:R/AC:L/Au:R/C:N/I:P/A:N/B:I)  
CVSS Temporal Score = 1.6  
Risk factor = Low  
  
  
Vendor Response:  
---------------  
"Attached is the version that blocks the use of the <script> in the  
text of the event. We can't block use of HTML completely because many  
users want to be able to use HTML for the event descriptions. The  
events are managed in the password protected control panel so there  
was no security threat even before the change was applied."  
  
  
Solution:  
---------  
  
Update to the fixed version,  
http://www.softcomplex.com/products/php_event_calendar/  
  
Credits:  
--------  
NR Nandini of OS2A has been credited with the discovery of this vulnerability.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Sep 2006 00:00Current
7.4High risk
Vulners AI Score7.4
cross site scriptingphp event calendarauthentication requiredmalicious codesecurity advisory.
35