Reflected Cross-site scripting in Triconsole Datepicker Calendar (CVE-2021–27330)
CVSSv3: 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]
CWE-ID: CWE-79 — Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Vulnerable software version: Datepicker Calendar < 3.76
Exploit DB: https://www.exploit-db.com/exploits/49597
Google Dork: inurl:/calendar/calendar_form.php
Mitigation: Install updates from the vendor’s website.
Triconsole Datepicker Calendar is an open-source calendar component written in php script . The vulnerability exists due to insufficient sanitization of user-supplied data in “calendar_form.php” script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.
The $_SERVER[“PHP_SELF”] is a super global variable that returns the filename of the currently executing script. It sends the submitted form data to the same page, instead of jumping on a different page, the $_SERVER[‘PHP_SELF’] can be easily exploited by hackers using cross-site scripting by inserting a ‘/’ in the URL and then a vulnerable script.
This vulnerability can be mitigated by using the htmlspecialchars() function, it converts the special characters to HTML entities.