CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability

CVE-2014-7291  Springshare LibCal XSS (Cross-Site Scripting) Security Vulnerability Weakness

Exploit Title: Springshare LibCal Multiple XSS (Cross-Site Scripting) Security Weakness

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University (NTU), Singapore]

Recommendation Details:

(1) Vendor & Product Description:


Product & Vulnerable Versions:

Vendor URL & download:

Product Introduction Overview:

“LibCal is an easy to use calendaring and event management platform for libraries. Used by 1,600+ libraries worldwide, LibCal makes it a breeze to manage online calendar of events, offer room bookings online, manage the opening hours for various locations.”

    “Manage Calendar & Event Registrations
Create custom Registration Forms
Manage Consultation Appointments”

    Create an Online Room Booking System
Display Library & Departmental Hours
Share Calendar/Event Info via Widgets”

(2) Vulnerability Details:

Springshare LibCal web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several Springshare LibCal products vulnerabilities have been found by some other bug hunter researchers before. Springshare LibCal has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to Springshare LibCal vulnerabilities.

(2.1) The first code programming flaw  occur at “/api_events.php?” page, with “&m” and “&cid” parameters.

(3) Solutions:

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code