Stored XSS in craigk5n/webcalendar

Valid

Reported on

Oct 19th 2022


Description

webcalendar has a feature to add event and display the location of it. This feature lead to stored xss everytime a user open the calendar or the event detail page.

Proof of Concept

  1. 1- login as user
  2. 2- create an event
  3. 3- insert the payload on "location" field
  4. 4- Save
  5. 5- Go back to the calendar
  6. 6- XSS

#PAYLOAD

"><svg><animatetransform onbegin=alert(document.cookie)>

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

We are processing your report and will contact the craigk5n/webcalendar team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back a year ago
We have sent a follow up to the craigk5n/webcalendar team. We will try again in 4 days. a year ago
We have sent a second follow up to the craigk5n/webcalendar team. We will try again in 7 days. a year ago
We have sent a third follow up to the craigk5n/webcalendar team. We will try again in 14 days. a year ago
Hakiduck
a year ago

Researcher


@mantainer?

craigk5n/webcalendar maintainer has acknowledged this report a year ago
Craig Knudsen
a year ago

Maintainer


I was able to reproduce this issue

Craig Knudsen validated this vulnerability a year ago

Resolved in commit 7906b4924c2dc3727c3540682f432ebbb93f810d in the master branch on github. The fix will be included in the next release (1.9.2).

mike993 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Craig Knudsen marked this as fixed in master with commit 7906b4 a year ago
Craig Knudsen has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation