Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Supercali Event Calendar 1.0.8: XSS

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Tue, 03 Nov 2015 11:55:10 +0100
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Supercali Event Calendar 1.0.8
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://supercali.inforest.com/
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability via the "id" GET parameter when editing a group
in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies
or inject JavaScript keyloggers.

3. Proof of Concept


http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=<script>alert('xss')</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-XSS-69.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: