Persistent Cross-Site Scripting (XSS) in PHP Event Calendar through 2021-11-04

Persistent Cross-Site Scripting (XSS) in PHP Event Calendar through 2021-11-04

CVE-2021-42078 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site.

Learn more about our Cis Benchmark Audit For Server Software.