HortusFox Web Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Calendar module of HortusFox Web version 4.4. This vulnerability allows authenticated users to inject arbitrary JavaScript into event names, which is then executed in the context of other users' browsers when the chat interface is loaded or refreshed. The injected script could be used to hijack sessions, steal data, or escalate privileges by targeting higher-privilege accounts.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and create a calendar event. Inject a script payload, such as an image tag with an error event handler, into the event name. Once the event is saved, the injected script will execute when the chat is rendered, demonstrating the cross-site scripting vulnerability.