Multiple Cross-Site Scripting Vulnerabilities
Brought to you by:
cknudsen
I have discovered multiple persistent and non-persistent cross-site scripting vulnerabilities in WebCalendar. For more information, see:
http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.html
Also, I have attached a screenshot of one of the proof-of-concept attacks.
Please let me know when these vulnerabilities are fixed in the SVN.
Cheers,
Omer Singer
omer.singer@thedigitrustgroup.com
Logged In: YES
user_id=1960349
Originator: YES
File Added: thedigitrustgroup-webcalendar.JPG
XSS Screenshot
Logged In: YES
user_id=14386
Originator: NO
This has been fixed in CVS in the following branches:
REL_1_0_0 (for 1.0.X)
REL_1_2 (for 1.1.X/1.2.X0
HEAD (development)
Logged In: YES
user_id=24666
Originator: NO
One of the XSS vulnerabilities in CVE-2007-6696 is still present in CVS HEAD. Please, consider applying patch #1900597.
Rafael Laboissiere
Logged In: YES
user_id=14386
Originator: NO
rlaboiss,
Thanks for the patch (which is now in REL_1_2 and HEAD in CVS).
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 30 days (the time period specified by
the administrator of this Tracker).