CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4455 – sproctor php-calendar index.php cross site scripting
https://notcve.org/view.php?id=CVE-2022-4455
A vulnerability, which was classified as problematic, was found in sproctor php-calendar. This affects an unknown part of the file index.php. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is a2941109b42201c19733127ced763e270a357809. • https://github.com/sproctor/php-calendar/commit/a2941109b42201c19733127ced763e270a357809 https://vuldb.com/?id.215445 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-42078 – PHP Event Calendar Lite Edition Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-42078
PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site. PHP Event Calendar versiones hasta el 04-11-2021 permite un ataque de tipo cross-site scripting (XSS) persistente, como es demostrado por el parámetro de título /server/ajax/events_manager.php. Esto puede ser explotado por un adversario de múltiples maneras, por ejemplo, para llevar a cabo acciones en la página en el contexto de otros usuarios, o para desfigurar el sitio PHP Event Calendar Lite Edition suffers from a persistent cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2021/Nov/24 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6485
https://notcve.org/view.php?id=CVE-2017-6485
A Cross-Site Scripting (XSS) issue was discovered in php-calendar before 2017-03-03. The vulnerability exists due to insufficient filtration of user-supplied data (errorMsg) passed to the "php-calendar-master/error.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Un problema de XSS ha sido descubierto en php-calendar en versiones anteriores a 03-03-2017. La vulnerabilidad existe debido a filtración insuficiente de datos suministrados por el usuario (errosMsg) pasados a la URL "php-calendar-master/error.php". • https://github.com/jasonjoh/php-calendar/issues/4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2010-2041
https://notcve.org/view.php?id=CVE-2010-2041
Multiple cross-site scripting (XSS) vulnerabilities in index.php in PHP-Calendar before 2.0 Beta7 allow remote attackers to inject arbitrary web script or HTML via the (1) description and (2) lastaction parameters. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en index.php de PHP-Calendar en versiones anteriores a la v2.0 Beta7. Permiten a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de los parámetros (1) description y (2) lastaction. • http://packetstormsecurity.org/1005-advisories/phpcalendar-xss.txt http://php-calendar.blogspot.com/2010/05/php-calendar-20-beta7.html http://secunia.com/advisories/33899 http://www.securityfocus.com/archive/1/511395/100/0/threaded http://www.securityfocus.com/bid/40334 http://www.vupen.com/english/advisories/2010/1202 https://exchange.xforce.ibmcloud.com/vulnerabilities/58861 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2CVE-2009-3702 – PHP-Calendar 1.1 - 'update08.php?configfile' Traversal Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-3702
Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL. Múltiples vulnerabilidades de salto de directorio absoluto en PHP-Calendar v1.1 permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través del nombre de archivo en el parámetro configfile en (1)update08.php or (2) update10.php. NOTA: en algunos entornos, esto puede ser ser aprovechado para inclusión remota a archivos usando el nombre de fichero UNC compartido o un ftp, ftps, o URL ssh2.sftp. PHP-Calendar version 1.1 suffers from remote and local file inclusion vulnerabilities. • https://www.exploit-db.com/exploits/33436 https://www.exploit-db.com/exploits/33437 http://www.securityfocus.com/archive/1/508548/100/0/threaded • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •