Supercali Event Calendar 1.0.8 Cross Site Scripting
Posted on 09 November 2015
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Supercali Event Calendar 1.0.8 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://supercali.inforest.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There is an XSS vulnerability via the "id" GET parameter when editing a group in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies or inject JavaScript keyloggers. 3. Proof of Concept http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=<script>alert('xss')</script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-XSS-69.html
