full-disclosure

Open Source and information security mailing list archives

Message-ID: <0M9cIl-1ZkXUv439L-00D2Kb@mrelayeu.kundenserver.de>
Date: Tue, 03 Nov 2015 11:55:10 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Supercali Event Calendar 1.0.8: XSS

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Supercali Event Calendar 1.0.8
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://supercali.inforest.com/
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability via the "id" GET parameter when editing a group
in Supercali Event Calendar 1.0.8. With this, it is possible to steal cookies
or inject JavaScript keyloggers.

3. Proof of Concept

http://supercali-1.0.8/supercali-1.0.8/edit_groups.php?mode=edit_group&id=<script>alert('xss')</script>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
10/07/2015 Disclosed to public

Blog Reference:
http://blog.curesec.com/article/blog/Supercali-Event-Calendar-108-XSS-69.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives