Stored XSS in craigk5n/webcalendar

Valid

Reported on

Oct 19th 2022

Description

webcalendar has a feature to add event and display the location of it. This feature lead to stored xss everytime a user open the calendar or the event detail page.

Proof of Concept

1- login as user
2- create an event
3- insert the payload on "location" field
4- Save
5- Go back to the calendar
6- XSS

#PAYLOAD

"><svg><animatetransform onbegin=alert(document.cookie)>

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

We are processing your report and will contact the craigk5n/webcalendar team within 24 hours. 5 months ago

We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back 5 months ago

We have sent a follow up to the craigk5n/webcalendar team. We will try again in 7 days. 5 months ago

We have sent a second follow up to the craigk5n/webcalendar team. We will try again in 10 days. 5 months ago

We have sent a third and final follow up to the craigk5n/webcalendar team. This report is now considered stale. 5 months ago

Hakiduck

commented 4 months ago

Researcher

@mantainer?

A craigk5n/webcalendar maintainer has acknowledged this report 3 months ago

Craig Knudsen

commented 3 months ago

Maintainer

I was able to reproduce this issue

Craig Knudsen validated this vulnerability 3 months ago

Resolved in commit 7906b4924c2dc3727c3540682f432ebbb93f810d in the master branch on github. The fix will be included in the next release (1.9.2).

Hakiduck has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Craig Knudsen marked this as fixed in master with commit 7906b4 3 months ago

Craig Knudsen has been awarded the fix bounty

This vulnerability has been assigned a CVE

Craig Knudsen published this vulnerability 3 months ago

to join this conversation