CVE-2010-0636

Vulnerability

WebCalendar versions 1.2.0 to 1.2.4 (before 1.2.5) contain multiple cross-site scripting (XSS) vulnerabilities. The flaws exist in the tab parameter of users.php and the PATH_INFO of day.php, month.php, and week.php. These parameters are not properly sanitized before being reflected in the output, allowing injection of arbitrary HTML and JavaScript. [1]

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious URL containing the XSS payload in the vulnerable parameter. No authentication is required; the attacker only needs to trick a victim into clicking the crafted link. The payload will execute in the context of the victim's browser when the page loads.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The attack is limited to the user's session and does not directly compromise the server.

Mitigation

The vulnerability is fixed in WebCalendar version 1.2.5, released after the disclosure. Users should upgrade to 1.2.5 or later. The project has moved to GitHub (https://github.com/craigk5n/webcalendar) where the latest releases are available. [1] No workarounds are documented in the available references.