Skip to content

Cross Site Scripting in background/text color or in the default calendar colors

Critical
ChiuchiuSorin published GHSA-jvq4-j2qw-q7x2 Jul 30, 2025

Package

maven com.xwiki.mocca-calendar:application-mocca-calendar (Maven)

Affected versions

<= 2.14.2

Patched versions

2.15

Description

Summary

The background and text color fields are not properly escaped in the event modal, allowing XSS for any user with view rights on the page, just by creating or editing an event and giving a script.

Details

Any user allowed to view the calendar page may create an event and add in the background or text color fields a script like <script>alert(1)</script>. The created event will be displayed inside the calendar with the default calendar colors and when opening the event modal, the script gets executed. The same behavior happens when a script is injected in the calendar default colors and a created event does not have set a custom color. The script doesn't seem to get executed when viewing the event page.

PoC

  1. Install and activate the Mocca Calendar (Pro) application
  2. Create an event and insert <script>alert(1)</script> inside the background/text color field(any new user can do this)
  3. Click on the newly created event to open the modal
  4. The page will run the script before fully loading the modal

Workarounds

None

Impact

Everyone who has view rights on the calendar page is susceptible to the attack, running any possibly malicious javascript/html/css code.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2025-52131

Weaknesses

No CWEs