Webcalendar 1.2.4 'location' XSS

2012-01-21T00:00:00
ID SECURITYVULNS:DOC:27574
Type securityvulns
Reporter Securityvulns
Modified 2012-01-21T00:00:00

Description

Exploit Title: Webcalendar 1.2.4 'location' XSS

Date: 01/11/12

Author: G13

Software Link:

https://sourceforge.net/projects/webcalendar/?source=directory

Version: 1.2.5

Category: webapps (php)

Vulnerability

There is no sanitation on the input of the location variable. This allows malicious scripts to be added. This is a stored XSS

Vendor Notification

01/11/12 - Vendor Notified 01/19/12 - No response, disclosure

Affected Variables

Location=[XSS]

Exploit

The script can be added right in the page, there is no filtering of input.