CVE-2018-11628

MEDIUM

EMS Master Calendar < 8.0.0.201805210 - Cross-Site Scripting via URL Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-11628. PoCs published by Chris Barretto.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in EMS Master Calendar versions prior to 8.0.0.201805210. The PoC URL injects a script tag via the 'Name' parameter, which is not properly sanitized, leading to arbitrary JavaScript execution in the context of the user's browser.

Description

Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS.

Exploits (1)

exploitdb WORKING POC
by Chris Barretto · textwebappsaspx
https://www.exploit-db.com/exploits/44831

This exploit demonstrates a reflected XSS vulnerability in EMS Master Calendar versions prior to 8.0.0.201805210. The PoC URL injects a script tag via the 'Name' parameter, which is not properly sanitized, leading to arbitrary JavaScript execution in the context of the user's browser.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: EMS Master Calendar < 8.0.0.201805210
No auth needed
Prerequisites: A crafted URL with malicious JavaScript payload · Victim interaction to visit the URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104428
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44831/

Scores

CVSS v3 6.1
EPSS 0.0347
EPSS Percentile 87.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
emssoftware/ems_master_calendar < 8.0.0.201805210
Published Jun 01, 2018
Tracked Since Feb 18, 2026