#2019 \"format\" Cross-Site Scripting Vulnerability

Security_Hole
closed
Craig Knudsen
Security (98)
5
2007-08-29
2007-04-05
No

CVE-2006-6669

According to: http://secunia.com/advisories/23341

"7all has discovered a vulnerability in WebCalendar, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "format" parameter in export_handler.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

The vulnerability is confirmed in version 1.0.4. Other versions may also be affected."

Discussion

  • Ray Jones
    Ray Jones
    2007-07-29

    Logged In: YES
    user_id=1090373
    Originator: NO

    A new version of WebCalendar was recently released. Please try
    upgrading your WebCalendar to this version & let us know if it
    resolves the issue. Thanks for using WebCalendar!

     
  • Ray Jones
    Ray Jones
    2007-07-29

    • summary: "format" Cross-Site Scripting Vulnerability --> \"format\" Cross-Site Scripting Vulnerability
    • status: open --> pending
     
    • status: pending --> closed
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).