• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: WebCalendar Multiple Cross-Site Scripting Vulnerabilities

Severity: MODERATE

Description:

WebCalendar is a PHP based application, used as a calendar for one or more clients. WebCalendar can be used with MySQL, Oracle, PostgreSQL or ODBC.

Multiple cross-site scripting vulnerabilities have been reported in various modules of WebCalendar. The vulnerabilities may allow an attacker to execute malicious script code on a legitimate user's browser due to unsanitized user input.

The issues have been reported to exist in the $color parameter of includes/js/colors.php module, $user parameter of week.php module, and $eventinfo paremeter of week.php, day.php, month.php, week_details.php, view_l.php, view_m.php, view_t.php, view_v.php, view_w.php, and week_details.php modules of the software.

HTML and script code may not be filtered from user supplied input before being displayed. Therefore it may be possible to construct a malicious link containing script code that may be executed in the browser of a user who visits the link. This would occur in the context of the vulnerable site.

Successful exploitation could allow for theft of cookie-based authentication credentials from users. Other attacks are also possible.

Affected Products:

• WebCalendar WebCalendar 0.9.11
• WebCalendar WebCalendar 0.9.15
• WebCalendar WebCalendar 0.9.16
• WebCalendar WebCalendar 0.9.19
• WebCalendar WebCalendar 0.9.20
• WebCalendar WebCalendar 0.9.21
• WebCalendar WebCalendar 0.9.22
• WebCalendar WebCalendar 0.9.23
• WebCalendar WebCalendar 0.9.24
• WebCalendar WebCalendar 0.9.25
• WebCalendar WebCalendar 0.9.26
• WebCalendar WebCalendar 0.9.27
• WebCalendar WebCalendar 0.9.28
• WebCalendar WebCalendar 0.9.29
• WebCalendar WebCalendar 0.9.30
• WebCalendar WebCalendar 0.9.31
• WebCalendar WebCalendar 0.9.32
• WebCalendar WebCalendar 0.9.33
• WebCalendar WebCalendar 0.9.34
• WebCalendar WebCalendar 0.9.35
• WebCalendar WebCalendar 0.9.36
• WebCalendar WebCalendar 0.9.37
• WebCalendar WebCalendar 0.9.38
• WebCalendar WebCalendar 0.9.39
• WebCalendar WebCalendar 0.9.40
• WebCalendar WebCalendar 0.9.41
• WebCalendar WebCalendar 0.9.43
• WebCalendar WebCalendar 0.9.8

References:

• SourceForge: WebCalendar

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.