Full Disclosure mailing list archives
Supercali Event Calendar 1.0.8: XSS
From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Tue, 03 Nov 2015 11:55:10 +0100
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Supercali Event Calendar 1.0.8 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://supercali.inforest.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability via the "id" GET parameter when editing a group in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies or inject JavaScript keyloggers. 3. Proof of Concept http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=<script>alert('xss')</script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-XSS-69.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Supercali Event Calendar 1.0.8: XSS Curesec Research Team (CRT) (Nov 06)