Published:2025/02/17 Last Updated:2025/02/17
JVN#26024080
Multiple vulnerabilities in The LuxCal Web Calendar
Overview
The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities.
Products Affected
- The LuxCal Web Calendar versions prior to 5.3.3M (MySQL version)
- The LuxCal Web Calendar versions prior to 5.3.3L (SQLite version)
Description
The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
- SQL injection in pdf.php (CWE-89)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 7.3
- CVE-2025-25221
- SQL injection in retrieve.php (CWE-89)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 7.3
- CVE-2025-25222
- Path traversal in dloader.php (CWE-22)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Base Score 5.8
- CVE-2025-25223
- Missing authentication in dloader.php (CWE-306)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
- CVE-2025-25224
Impact
- Information in a database may be deleted, altered, or retrieved (CVE-2025-25221, CVE-2025-25222)
- Arbitrary files on a server may be obtained (CVE-2025-25223, CVE-2025-25224)
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2025-25221, CVE-2025-25222
Rikuto Tauchi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2025-25223, CVE-2025-25224
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-25221 |
|
CVE-2025-25222 |
|
|
CVE-2025-25223 |
|
|
CVE-2025-25224 |
|
| JVN iPedia |
JVNDB-2025-000012 |