CVE-2024-1097 HIGH

CVE-2024-1097: Stored XSS in craigk5n/webcalendar

Vendor Craigk5N

Product craigk5n/webcalendar

Weakness CWE-79 · XSS

Published November 15, 2024

Last update November 15, 2024

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in craigk5n/webcalendar version 1.3.0. The vulnerability occurs in the 'Report Name' input field while creating a new report. An attacker can inject malicious scripts, which are then executed in the context of other users who view the report, potentially leading to the theft of user accounts and cookies.

Key dates

02Disclosure timeline

November 15, 2024 CVE published

November 15, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1097

Related vulnerabilities

Identifiers

CVE CVE-2024-1097

CWE CWE-79

CVSS 7.6 / HIGH

Affected versions