CVE-2021-42078 - OpenCVE

PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Php Event Calendar Project	Php Event Calendar

Configuration 1 [-]

cpe:2.3:a:php_event_calendar_project:php_event_calendar:2021-11-04:*:*:*:lite:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2021/Nov/24
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-11-08T04:07:18

Updated: 2024-08-04T03:22:25.998Z

Reserved: 2021-10-07T00:00:00

Link: CVE-2021-42078

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-08T05:15:07.553

Modified: 2021-11-09T22:07:50.933

Link: CVE-2021-42078

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-08T04:07:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt"}, {"tags": ["x_refsource_MISC"], "url": "http://seclists.org/fulldisclosure/2021/Nov/24"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-42078", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt", "refsource": "MISC", "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt"}, {"name": "http://seclists.org/fulldisclosure/2021/Nov/24", "refsource": "MISC", "url": "http://seclists.org/fulldisclosure/2021/Nov/24"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:22:25.998Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2021/Nov/24"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-42078", "datePublished": "2021-11-08T04:07:18", "dateReserved": "2021-10-07T00:00:00", "dateUpdated": "2024-08-04T03:22:25.998Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php_event_calendar_project:php_event_calendar:2021-11-04:*:*:*:lite:*:*:*", "matchCriteriaId": "80C22DF8-3F0C-4AC8-9D45-CC5A2155218C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the site."}, {"lang": "es", "value": "PHP Event Calendar versiones hasta el 04-11-2021 permite un ataque de tipo cross-site scripting (XSS) persistente, como es demostrado por el par\u00e1metro de t\u00edtulo /server/ajax/events_manager.php. Esto puede ser explotado por un adversario de m\u00faltiples maneras, por ejemplo, para llevar a cabo acciones en la p\u00e1gina en el contexto de otros usuarios, o para desfigurar el sitio"}], "id": "CVE-2021-42078", "lastModified": "2021-11-09T22:07:50.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-08T05:15:07.553", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Nov/24"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}