Published:2009/08/21  Last Updated:2009/08/26

Site Calendar 'mycaljp' vulnerable to cross-site scripting


Site Calendar 'mycaljp' contains a cross-site scripting vulnerability.

Products Affected

  • Site Calendar 'mycaljp' Ver.2.0.0 - 2.0.6

  • The affected plugin is also contained in the following packages:

  • Japanese extended package of Geeklog versions 1.5.0 through 1.5.2
    Only packages released on or before June 29, 2009 are affected.

  • For more information, refer to the developers' website.


Site Calendar 'mycaljp' is a calendar plugin for Geeklog, which is an open source content management system. Site Calendar 'mycaljp' contains a cross-site scripting vulnerability.


An arbitrary script may be executed on the user's web browser.


Update the Software
Update to the latest version according to the information provided by the developers.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.08.21

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures


Masako Oono reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2009-3021
JVN iPedia JVNDB-2009-000055

Update History