Reflected Cross-site scripting in Triconsole Datepicker Calendar (CVE-2021–27330)

Risk: Medium

CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021–27330

CWE-ID: CWE-79 — Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Vulnerable software version: Datepicker Calendar < 3.76

Exploit DB: https://www.exploit-db.com/exploits/49597

Google Dork: inurl:/calendar/calendar_form.php

Mitigation: Install updates from the vendor’s website.

Description:

Triconsole Datepicker Calendar is an open-source calendar component written in php script . The vulnerability exists due to insufficient sanitization of user-supplied data in “calendar_form.php” script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

The $_SERVER[“PHP_SELF”] is a super global variable that returns the filename of the currently executing script. It sends the submitted form data to the same page, instead of jumping on a different page, the $_SERVER[‘PHP_SELF’] can be easily exploited by hackers using cross-site scripting by inserting a ‘/’ in the URL and then a vulnerable script.

This vulnerability can be mitigated by using the htmlspecialchars() function, it converts the special characters to HTML entities.

This prevents scripting attacks by attackers who exploit the code by inserting HTML or Javascript code in the form fields.

External links:

https://nvd.nist.gov/vuln/detail/CVE-2021-27330#VulnChangeHistorySection
http://www.triconsole.com/php/calendar_datepicker.php