WebCalendar / Bugs / #2240 Multiple Cross-Site Scripting Vulnerabilities

#2240 Multiple Cross-Site Scripting Vulnerabilities

Milestone: Security_Hole

Status: closed-fixed

Owner: Craig Knudsen

Labels: Security (98)

Priority: 9

Updated: 2008-02-28

Created: 2007-12-18

Creator: omer-singer

Private: No

I have discovered multiple persistent and non-persistent cross-site scripting vulnerabilities in WebCalendar. For more information, see:
http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.html

Also, I have attached a screenshot of one of the proof-of-concept attacks.

Please let me know when these vulnerabilities are fixed in the SVN.

Cheers,

Omer Singer
omer.singer@thedigitrustgroup.com

Discussion

omer-singer - 2007-12-21

Logged In: YES
user_id=1960349
Originator: YES

File Added: thedigitrustgroup-webcalendar.JPG

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

omer-singer - 2007-12-21

XSS Screenshot

thedigitrustgroup-webcalendar.JPG

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Craig Knudsen - 2008-01-24

priority: 5 --> 9
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Craig Knudsen - 2008-01-28

status: open --> pending-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Craig Knudsen - 2008-01-28

Logged In: YES
user_id=14386
Originator: NO

This has been fixed in CVS in the following branches:

REL_1_0_0 (for 1.0.X)
REL_1_2 (for 1.1.X/1.2.X0
HEAD (development)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2008-02-23

Logged In: YES
user_id=24666
Originator: NO

One of the XSS vulnerabilities in CVE-2007-6696 is still present in CVS HEAD. Please, consider applying patch #1900597.

Rafael Laboissiere

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Craig Knudsen - 2008-02-25

Logged In: YES
user_id=14386
Originator: NO

rlaboiss,

Thanks for the patch (which is now in REL_1_2 and HEAD in CVS).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

SourceForge Robot - 2008-02-28

Logged In: YES
user_id=1312539
Originator: NO

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 30 days (the time period specified by
the administrator of this Tracker).

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

SourceForge Robot - 2008-02-28

status: pending-fixed --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.