XWiki Mocca Calendar Application Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Mocca Calendar application for XWiki, affecting versions through 2.14.2. The issue arises because the background and text color fields in the event modal are not properly escaped. This flaw allows any user with view rights on the calendar page to inject scripts, which are executed when the event is opened in the modal. The vulnerability can also be exploited by injecting a script into the calendar's default colors, which will be executed when an event is created without a custom color.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the calendar.

Reproduction

To reproduce this vulnerability, install the Mocca Calendar application version 2.14.2 or prior. Once the application is active, create a new event and insert a script, such as an alert tag, into the background or text color field. After saving the event, click on it to open the modal, where the script will execute before the modal fully loads.

Remediation

Users can update to Mocca Calendar version 2.15, where this vulnerability has been patched.