Description
Multiple cross-site scripting (XSS) vulnerabilities in Sun Calendar Express Web Server in Sun ONE Calendar Server 6.0 and Sun Java System Calendar Server 6 2004Q2 through 6.3-7.01 allow remote attackers to inject arbitrary web script or HTML via (1) the fmt-out parameter to login.wcap or (2) the date parameter to command.shtml.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by SCS team · textwebappsjava
https://www.exploit-db.com/exploits/32862
References (7)
Core 7
Core References
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0905
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/34153
Patch, Vendor Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256228-1
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/502320/100/0/threaded
Exploit x_refsource_misc
http://www.coresecurity.com/content/sun-calendar-express
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/34152
Vendor Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020321.1-1
Scores
EPSS
0.0198
EPSS Percentile
83.7%
Details
CWE
CWE-79
Status
published
Products (3)
sun/java_system_calendar_server
6 (3 CPE variants)
sun/java_system_calendar_server
6.3 (3 CPE variants)
sun/one_calendar_server
6.0 (3 CPE variants)
Published
Apr 01, 2009
Tracked Since
Feb 18, 2026