Supercali Event Calendar 1.0.8: XSS

Supercali Event Calendar 1.0.8: XSS

Date: 2015-10-07 16:00:24
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Supercali Event Calendar 1.0.8
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability via the "id" GET parameter when editing a group in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies or inject JavaScript keyloggers.

3. Proof of Concept


4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
10/07/2015 Disclosed to public