Summary
The title is not properly escaped in the view event page, allowing XSS for any user with view rights on the page, just by creating or editing an event and giving a script.
Details
Any user allowed to view the calendar page may create an event with a title as this is an XSS vulenrability<script>alert("hi!")</script>, which will show fine in the Calendar UI, but when opening the event page, the script gets executed and the title is missing the script part. When editing the event through the modal in the calendar page, the script doesn't seem to get executed, but the script part of the title is missing.
The code in the MoccaCalendarEventSheet view mode branch is not escaped. The code to be escaped is $eventInstance.getTitle() in the #else branch of #if($isEdit).
PoC
- Install and activate the Mocca Calendar app
- Create an event titled
<script>alert("hi!")</script> (any new user can do this)
- Open the event page in a new tab
- The page will run the script before fully loading the content
Workarounds
Before opening an event page, check its title either by looking in the navigation tree, or by looking at the day view inside the calendar to have the title fully displayed. Delete any event that contains suspicious text.
Impact
Everyone who views the event page is susceptible to the attack, running any possibly malicious javascript/html/css code.
Summary
The title is not properly escaped in the view event page, allowing XSS for any user with view rights on the page, just by creating or editing an event and giving a script.
Details
Any user allowed to view the calendar page may create an event with a title as
this is an XSS vulenrability<script>alert("hi!")</script>, which will show fine in the Calendar UI, but when opening the event page, the script gets executed and the title is missing the script part. When editing the event through the modal in the calendar page, the script doesn't seem to get executed, but the script part of the title is missing.The code in the MoccaCalendarEventSheet view mode branch is not escaped. The code to be escaped is
$eventInstance.getTitle()in the #else branch of #if($isEdit).PoC
<script>alert("hi!")</script>(any new user can do this)Workarounds
Before opening an event page, check its title either by looking in the navigation tree, or by looking at the day view inside the calendar to have the title fully displayed. Delete any event that contains suspicious text.
Impact
Everyone who views the event page is susceptible to the attack, running any possibly malicious javascript/html/css code.