CVE-2007-6696
published 2008-02-01CVE-2007-6696: Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) an event…
PriorityP413low2.1CVSS 2.0
AVNACHAuSCNIPAN
EXPLOIT
EPSS
1.73%
74.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) an event description, (2) the query string to pref.php, and (3) the adv parameter to search.php. NOTE: vector 1 requires user authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webcalendar | webcalendar | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WebCalendar 1.1.6 - 'search.php' Cross-Site Scripting
exploitdb·2008-01-25
CVE-2007-6696 WebCalendar 1.1.6 - 'search.php' Cross-Site Scripting
WebCalendar 1.1.6 - 'search.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/27461/info
WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.
http://www.example.com/search.php?adv=>"'>
Exploit-DB
WebCalendar 1.1.6 - 'pref.php' Cross-Site Scripting
exploitdb·2008-01-25
CVE-2007-6696 WebCalendar 1.1.6 - 'pref.php' Cross-Site Scripting
WebCalendar 1.1.6 - 'pref.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/27461/info
WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.
http://www.example.com/pref.php?>'">alert('XSS')
No writeups or analysis indexed.
http://osvdb.org/41274http://osvdb.org/41275http://osvdb.org/41276http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.htmlhttp://www.securityfocus.com/bid/27461http://osvdb.org/41274http://osvdb.org/41275http://osvdb.org/41276http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.htmlhttp://www.securityfocus.com/bid/27461
2008-02-01
Published