CVE-2018-11628

MEDIUM

Emssoftware Ems Master Calendar < 8.0.0.201805210 - XSS

Title source: rule

Description

Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS.

Exploits (1)

exploitdb WORKING POC

by Chris Barretto · textwebappsaspx

https://www.exploit-db.com/exploits/44831

View Code ZIP pw:eip

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://gist.github.com/barrett092/c70752ca6960b8b9616a03006f291a28

Release Notes x_refsource_misc

https://docs.emssoftware.com/Content/V44.1_ReleaseNotes.htm

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/104428

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44831/

Scores

CVSS v3 6.1

EPSS 0.0227

EPSS Percentile 84.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

emssoftware/ems_master_calendar < 8.0.0.201805210

Published Jun 01, 2018

Tracked Since Feb 18, 2026