JVN#23340457: Multiple vulnerabilities in WebCalendar

Overview

WebCalendar provided by k5n.us contains multiple vulnerabilities.

Products Affected

WebCalendar 1.2.7 and earlier

Description

WebCalendar provided by k5n.us contains multiple vulnerabilities listed below.

Cross-site scripting (CWE-79) - CVE-2017-10840

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Directory traversal (CWE-22) - CVE-2017-10841

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Base Score: 4.1

CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0

Impact

An arbitrary script may be executed on a logged in user's web browser - CVE-2017-10840
Arbitrary local files on the server may be accessed by a user logged in as an administrator - CVE-2017-10841

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
k5n.us	XSS fixes for admin.php - GitHub
	Release 1.2.8 - craigk5n/webcalendar - GitHub

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following researchers reported vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2017-10840
Yuji Tounai of NTT Communications Corporation and ASAI Ken

CVE-2017-10841
ASAI Ken

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2017-10840
	CVE-2017-10841
JVN iPedia	JVNDB-2017-000206

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N	Base Score: 4.1
CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:N	Base Score: 4.0

JVN#23340457 Multiple vulnerabilities in WebCalendar