The host is running WebCalendar and is prone to multiple CSS and CSRF Vulnerabilities.

Successful exploitation could allow attackers to conduct cross-site scripting and request forgery attacks. Impact Level: Application

Upgrade to WebCalendar version 1.2.1 or later For updates refer to http://www.k5n.us/webcalendar.php?topic=Download

- Input passed to the 'tab' parameter in 'users.php' is not properly sanitised before being returned to the user. - Input appended to the URL after 'day.php', 'month.php', and 'week.php' is not properly sanitised before being returned to the user. - The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to delete an event, ban an IP address from posting, or change the administrative password if a logged-in administrative user visits a malicious web site.

WebCalendar version 1.2.0 and prior.

• http://holisticinfosec.org/content/view/133/45/
• http://secunia.com/advisories/38222

---

Updated on 2015-03-25