Impact
Everyone who has edit rights on the calendar page is susceptible to the attack, running any possibly malicious javascript/html/css code.
Details
Any user allowed to view the calendar page, may edit an instance of a recurrent event and set a title such as: this is an XSS vulenrability<script>alert(1)</script>, which will show fine in the Calendar UI. The script gets executed when opening the event modal and going to edit mode, missing the script part from the title. When simply viewing the event through the modal in the calendar page, the script doesn't seem to get executed, and the script part of the title is visible.
Workarounds
Do not open events with a suspicious title and immediately delete them.
PoC
- Install and activate the Mocca Calendar app
- Create a recurrent event.
- Edit an instance of the recurrent event and add a title such as:
<script>alert(1)</script>
- Open the edited event instance modal and press the
Edit button
Impact
Everyone who has edit rights on the calendar page is susceptible to the attack, running any possibly malicious javascript/html/css code.
Details
Any user allowed to view the calendar page, may edit an instance of a recurrent event and set a title such as:
this is an XSS vulenrability<script>alert(1)</script>, which will show fine in the Calendar UI. The script gets executed when opening the event modal and going to edit mode, missing the script part from the title. When simply viewing the event through the modal in the calendar page, the script doesn't seem to get executed, and the script part of the title is visible.Workarounds
Do not open events with a suspicious title and immediately delete them.
PoC
<script>alert(1)</script>Editbutton