CVE-2024-1097

MEDIUM

k5n webcalendar 1.3.0 - Stored Cross-Site Scripting via Report Name Input Field

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability exists in craigk5n/webcalendar version 1.3.0. The vulnerability occurs in the 'Report Name' input field while creating a new report. An attacker can inject malicious scripts, which are then executed in the context of other users who view the report, potentially leading to the theft of user accounts and cookies.

References (1)

Core 1
Core References

Scores

CVSS v3 5.4
EPSS 0.0032
EPSS Percentile 23.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
k5n/webcalendar 1.3.0
Published Nov 15, 2024
Tracked Since Feb 18, 2026