CVE-2025-52133

Vulnerability

The Mocca Calendar application for XWiki, prior to version 2.15, contains a stored cross-site scripting (XSS) vulnerability in its calendar import functionality. When a calendar is imported, the event title is not properly sanitized or escaped, allowing an attacker to inject arbitrary HTML and JavaScript code into the title field [4].

Exploitation

An attacker with the ability to view and import calendars can exploit this by crafting a calendar file containing an event with a malicious title (e.g., ``). This title appears safely in the calendar UI but, when the targeted user navigates to the detailed event page, the injected script executes in the context of the user's browser [4]. No special privileges beyond standard view rights are needed to import the crafted calendar.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of any user viewing the imported event page. This can lead to session hijacking, data theft, or further actions within the XWiki instance on behalf of the victim. The attack does not require the victim to have edit rights, only view access to the calendar and event page [4].

Mitigation

The vulnerability is fixed in Mocca Calendar version 2.15. Users are advised to update to this or a later release. As a workaround, administrators can manually inspect imported events and delete any with suspicious titles before opening the event detail page [2][4].