CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness
Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness
Product: LibCal
Vendor: Springshare
Vulnerable Versions: 2.0
Tested Version: 2.0
Advisory Publication: Nov 25, 2014
Latest Update: Nov 25, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7291
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Solution Status: Fixed by Vendor
Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]
Recommendation Details:
(1) Vendor & Product Description:
Vendor:
Springshare
Product & Vulnerable Versions:
LibCal
2.0
Vendor URL & download:
http://springshare.com/libcal/
Product Introduction Overview:
“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations."
"Manage Calendar & Event Registrations
Create custom Registration Forms
Manage Consultation Appointments"
Create an Online Room Booking System
Display Library & Departmental Hours
Share Calendar/Event Info via Widgets"
(2) Vulnerability Details:
Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.
(2.1) The first code programming flaw occur at “/api_events.php?” page, with “&m” and “&cid” parameters.
(3) Solutions:
2014-10-01: Report vulnerability to Vendor
2014-10-15: Vendor replied with thanks and vendor changed the source code
References:
Product Introduction Overview:
“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations."
"Manage Calendar & Event Registrations
Create custom Registration Forms
Manage Consultation Appointments"
Create an Online Room Booking System
Display Library & Departmental Hours
Share Calendar/Event Info via Widgets"
(2) Vulnerability Details:
Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.
(2.1) The first code programming flaw occur at “/api_events.php?” page, with “&m” and “&cid” parameters.
(3) Solutions:
2014-10-01: Report vulnerability to Vendor
2014-10-15: Vendor replied with thanks and vendor changed the source code
References: