VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 20, 2023· Updated Nov 22, 2024

Codecanyon Tiva Events Calender cross site scripting

CVE-2023-3787

Description

A vulnerability classified as problematic was found in Codecanyon Tiva Events Calender 1.4. This vulnerability affects unknown code. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-235054 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The manipulation of the argument name leads to cross site scripting."

Attack vector

The vulnerability is triggered by manipulating the 'name' argument during a POST request to the `/admin/report/edit.php` endpoint. An attacker can inject malicious script into this argument, which is then reflected in the application's response. The attack can be initiated remotely, and the exploit has been publicly disclosed [ref_id=1].

What the fix does

The advisory suggests several remediation steps to address the vulnerability. These include encoding and escaping the content of the 'name' input field before transmission, restricting the input field to disallow special characters, and sanitizing output locations on both the frontend and backend by encoding them to prevent script execution [ref_id=1].

Preconditions

  • inputThe attacker must be able to control the 'name' argument.

Reproduction

The public exploit reference provides a link to a full disclosure which includes PoC session logs detailing the manipulation of the 'name' argument and the resulting HTTP requests and responses [ref_id=1].

Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.