Description
Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) an event description, (2) the query string to pref.php, and (3) the adv parameter to search.php. NOTE: vector 1 requires user authentication.
Exploits (2)
exploitdb
WORKING POC
VERIFIED
by Omer Singer · textwebappsphp
https://www.exploit-db.com/exploits/31064
exploitdb
WORKING POC
VERIFIED
by Omer Singer · textwebappsphp
https://www.exploit-db.com/exploits/31063
References (5)
Core 5
Core References
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/27461
Exploit x_refsource_misc
http://www.digitrustgroup.com/advisories/web-application-security-webcalendar.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/41276
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/41275
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/41274
Scores
EPSS
0.0044
EPSS Percentile
63.3%
Details
CWE
CWE-79
Status
published
Products (1)
webcalendar/webcalendar
1.1.6
Published
Feb 01, 2008
Tracked Since
Feb 18, 2026