Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#2240 Multiple Cross-Site Scripting Vulnerabilities

Security_Hole
closed-fixed
Craig Knudsen
Security (98)
9
2008-02-28
2007-12-18
omer-singer
No

I have discovered multiple persistent and non-persistent cross-site scripting vulnerabilities in WebCalendar. For more information, see:
http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.html

Also, I have attached a screenshot of one of the proof-of-concept attacks.

Please let me know when these vulnerabilities are fixed in the SVN.

Cheers,

Omer Singer
omer.singer@thedigitrustgroup.com

Discussion

  • omer-singer
    omer-singer
    2007-12-21

    Logged In: YES
    user_id=1960349
    Originator: YES

    File Added: thedigitrustgroup-webcalendar.JPG

     
  • Craig Knudsen
    Craig Knudsen
    2008-01-24

    • priority: 5 --> 9
     
  • Craig Knudsen
    Craig Knudsen
    2008-01-28

    • status: open --> pending-fixed
     
  • Craig Knudsen
    Craig Knudsen
    2008-01-28

    Logged In: YES
    user_id=14386
    Originator: NO

    This has been fixed in CVS in the following branches:

    REL_1_0_0 (for 1.0.X)
    REL_1_2 (for 1.1.X/1.2.X0
    HEAD (development)

     
  • Logged In: YES
    user_id=24666
    Originator: NO

    One of the XSS vulnerabilities in CVE-2007-6696 is still present in CVS HEAD. Please, consider applying patch #1900597.

    Rafael Laboissiere

     
  • Craig Knudsen
    Craig Knudsen
    2008-02-25

    Logged In: YES
    user_id=14386
    Originator: NO

    rlaboiss,

    Thanks for the patch (which is now in REL_1_2 and HEAD in CVS).

     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending-fixed --> closed-fixed