Helios Calendar versions 1.2.1 Beta and below suffer from cross site scripting vulnerabilities.
158d6aafc9717d750c7571ceae7e27816afac34f9195422bf38a218bed197675
Hi PacketStormSecurity.org;
I'm reporting a vulnerability of type XSS in Helios Calendar, thank you for all.
+==============================================================================+
+ Helios Calendar <=1.2.1 Beta (XSS) Multiple Remote Vulnerabilities +
+==============================================================================+
Author(s): Ivan Sanchez & Maximiliano Soler.
Product: Helios Calendar.
Vendor: Refresh Web Development, LLC.
Description: Helios Calendar is a professional event management and publishing
platform. More then just a simple web
calendar, Helios Calendar offers many powerful tools to help you organize and
promote your events online.
Web: https://www.helioscalendar.com/
Versions: 1.2.1 Beta (or less)
Date: 02/11/2007
GOOGLE DORKS:
------------
[x] intext:"Helios Calendar" + intext:"Refresh Web Development"
[x] intitle:"Helios Calendar"
EXPLOIT:
--------
For example...after the variable "username"
https://www.[DOMAIN].tld/calendar/admin/index.php?msg=1&username=[XSS]
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+==============================================================================+
+ Helios Calendar <=1.2.1 Beta (XSS) Multiple Remote Vulnerabilities +
+==============================================================================+
--
Maximiliano Soler.
Reports & Review Code.
Null Code Services.
www.nullcode.com.ar
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.