Supercali Event Calendar 1.0.8: XSS
Date: 2015-10-07 16:00:241. Introduction
| Affected Product: | Supercali Event Calendar 1.0.8 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | http://supercali.inforest.com/ |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/01/2015 |
| Disclosed to public: | 10/07/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
There is an XSS vulnerability via the "id" GET parameter when editing a group in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies or inject JavaScript keyloggers.
3. Proof of Concept
http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=<script>alert('xss')</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 09/01/2015 | Informed Vendor about Issue (no reply) |
| 10/07/2015 | Disclosed to public |