CVE-2010-0636
WebCalendar 1.2.0 and all versions before 1.2.5 are vulnerable to multiple XSS flaws. An attacker can inject arbitrary script via the tab parameter to users.php and via PATH_INFO to day.php, month.php, and week.php. The issue stems from insufficient input sanitization. Upgrading to 1.2.5 or later...