|
Description
|
|
HauntIT has discovered a weakness and a vulnerability in PHP Calendar which can be exploited by malicious people to disclose certain system information and conduct cross-site scripting attacks.
1) An error related to error handling can be exploited to disclose the full installation path in an error message.
2) Input passed via the "lasturl" parameter to index.php (when "action" is set to "login") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The weakness and vulnerability are confirmed in version 2.0.1. Other versions may also be affected.
|
