CVE-2004-1529
Description
Cross-site scripting in PHP-Nuke Event Calendar module 2.13 allows remote attackers to inject arbitrary web script via multiple parameters in Preview or event comments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in PHP-Nuke Event Calendar module 2.13 allows remote attackers to inject arbitrary web script via multiple parameters in Preview or event comments.
Vulnerability
The Event Calendar module version 2.13 for PHP-Nuke contains a cross-site scripting (XSS) vulnerability. User-supplied input passed via the type, day, month, and year parameters in a Preview operation, as well as event comments, is not properly sanitized before being rendered. This allows an attacker to inject arbitrary HTML and JavaScript. [1][2]
Exploitation
An attacker can craft a malicious URL containing XSS payloads in the type, day, month, or year parameters and trick a victim into clicking it. Alternatively, an attacker can submit a comment on an event containing malicious script. No authentication is required for the Preview operation; comments may require user interaction. [1][2]
Impact
Successful exploitation enables the attacker to execute arbitrary web script in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The attack affects any user who views the crafted Preview or the comment. [1][2]
Mitigation
No official patch was released by the module author. Users were advised to disable the Event Calendar module or apply input filtering manually. The module is no longer maintained. [1][2]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:rob_sutton:php-nuke_event_calendar:2.13:*:*:*:*:*:*:*
- Range: =2.13
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Poor user-submitted data handling — the `type`, `day`, `month`, and `year` parameters and event comments are not sanitized before being reflected in HTML output."
Attack vector
An attacker can inject arbitrary web script or HTML into the Event Calendar module by crafting a URL with malicious code in the `type`, `day`, `month`, or `year` parameters during a Preview operation [ref_id=1][ref_id=2]. For example, visiting `http://localhost/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=[xss code here]` will cause the injected script to execute in the victim's browser [ref_id=1][ref_id=2]. Additionally, any user can insert JavaScript into event comments; when another user or an admin views the comment, the script executes, enabling cookie theft or unauthorized admin actions [ref_id=1][ref_id=2]. No authentication is required for the reflected XSS vectors.
Affected code
The advisory identifies the Event Calendar module version 2.13 for PHP-Nuke as affected [ref_id=1][ref_id=2]. The XSS vulnerabilities exist in the `submit.php` file, where the `type`, `day`, `month`, and `year` parameters are not sanitized before being reflected in a Preview operation [ref_id=1][ref_id=2]. Additionally, event comments are vulnerable to script injection [ref_id=1][ref_id=2].
What the fix does
No official patch was ever released by the vendor. The advisory states that the vendor was contacted in September 2004 and acknowledged the issues, but no patched version was ever published [ref_id=1][ref_id=2]. The author recommends seeking community assistance for patching via the waraxe.us forums [ref_id=1][ref_id=2]. To remediate, administrators must manually sanitize all user-supplied input parameters (`type`, `day`, `month`, `year`, and event comments) before rendering them in HTML output.
Preconditions
- configThe Event Calendar module 2.13 must be installed and accessible on a PHP-Nuke site.
- inputFor reflected XSS, the attacker must trick a victim into clicking a crafted URL containing malicious script in the type, day, month, or year parameter.
- authFor stored XSS in event comments, the attacker must be able to submit a comment on an event (any user can do so).
Reproduction
1. Navigate to `http://target/nuke73/modules.php?name=Calendar&file=submit&op2=Preview&type=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.