CVE-2025-52131

Vulnerability

The Mocca Calendar application (versions before 2.15) for XWiki suffers from a stored Cross-Site Scripting (XSS) vulnerability in its event creation and calendar configuration interfaces. The background and text color fields fail to properly escape user-supplied input, allowing injection of arbitrary HTML and JavaScript [4]. This affects both individual event color fields and the default calendar color settings.

Exploitation

Any user with view rights on a calendar page can exploit this flaw by creating or editing an event and inserting a malicious script (e.g., ``) into the background or text color field [4]. When another user clicks on the crafted event to open its modal view, the injected script executes before the modal fully loads. The same attack vector works by injecting a script into the default calendar colors, affecting all events that inherit those colors [4]. Notably, the script does not execute when viewing the event page outright, only within the modal [4].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript, HTML, or CSS in the context of the victim's session. This can lead to session hijacking, defacement, or unauthorized actions performed on behalf of the victim, impacting every user with view rights on the calendar page [4].

Mitigation

The vulnerability is fixed in Mocca Calendar version 2.15 for XWiki [1][4]. Users should upgrade to this version immediately. No workarounds are available [4].