WebCalendar 1.1.6 - 'pref.php' Cross-Site Scripting

Author: Omer Singer
type: webapps
platform: php
port: 
date_added: 2008-01-25 
date_updated: 2016-12-09 
verified: 1 
codes: CVE-2007-6696;OSVDB-41275 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comWebCalendar-1.1.6.zip

source: https://www.securityfocus.com/bid/27461/info

WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.

These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.

http://www.example.com/pref.php?>&#039;"><script>alert(&#039;XSS&#039;)</script>