Original advisory in bugtraq: http://seclists.org/bugtraq/2011/Dec/123
""""
# Exploit Title: PHP Booking Calendar 10e XSS
# Date: 12/16/11
# Author: G13
# Software Link: http://sourceforge.net/projects/bookingcalendar/
# Version: 10e
# Category: webapps (php)
#
##### Vulnerability #####
The page_info_message varibale in the details_view.php does not sanitize input. This is a relective XSS attack.
##### Exploit #####
I have verified this vulnerability to be a valid report. Please fix this XSS-vulnerability and contact me in case you need more information or help with the patch.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5045
booking_calendar_10f.zip - htmlentities() added to header.php