SECUNIA ADVISORY ID: SA23341
VERIFY ADVISORY: http://secunia.com/advisories/23341/
CRITICAL: Less critical
IMPACT: Cross Site Scripting
SOFTWARE:
WebCalendar 1.x - http://secunia.com/product/5606/
WebCalendar 0.9.x - http://secunia.com/product/1901/
DESCRIPTION: 7all has discovered a vulnerability in WebCalendar, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "format" parameter in export_handler.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. The vulnerability is confirmed in version 1.0.4. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY: 7all
WebCalendar *format* Cross-Site Scripting VulnerabilityPosted on Tuesday, December 19, 2006 @ 09:50:38 CST in Security |
Related
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
