Extension - digtal-peak.com - XSS vulnerability in DP Calendar component for Joomla 8.0.0-8.0.14

Vulnerability

DPCalendar (versions prior to the fix for CVE-2024-21727) contains a stored cross-site scripting (XSS) vulnerability. The component fails to properly sanitize user-supplied input when creating or editing calendar events. This affects all installations where front-end editing or back-end event creation/editing is permitted. The vulnerability is present in the event title, description, or other custom event fields that are rendered in calendar views or modules.

Exploitation

An attacker needs the ability to create or edit calendar events — this can be achieved with a Joomla account that has event editing privileges (e.g., front-end editing enabled for registered users). The attacker crafts a malicious payload (e.g., JavaScript within event fields). When a victim (administrator or other visitor) views the event in a calendar view, the payload executes in their browser. No further user interaction beyond viewing the event page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, redirection to malicious sites, modification of page content, or other client-side attacks. The attack could compromise the confidentiality and integrity of the Joomla site for administrators or users who view the tainted event.

Mitigation

The vendor (Digital Peak) released a fix in a subsequent version of DPCalendar [1]. Users should update to the latest patched version available from the Joomla Extensions Directory. As a general security best practice, limit front-end editing privileges to trusted user groups and sanitize all user input in custom fields. Joomla's built-in content filtering should also be configured to block script tags.