• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PostCalendar 3.0 Cross Site Scripting Vulnerability

PostCalendar 3.0 is a module for PostNuke that provides an interactive events calendar that users can add entries to. Under certain conditions it fails to strip HTML or Script from user supplied data, allowing malicious code to be injected into event listings by users.

This is accomplished by submitted a normal plain-text event (as a logged in user), proceeding to the preview screen and added the HTML or script from there.