XWiki Mocca Calendar Application Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Mocca Calendar application for XWiki, specifically in versions prior to 2.15. The issue arises because the title of an event is not properly escaped when viewed on the event page. This flaw allows any user with view rights to execute scripts by embedding them in the event title. The vulnerability can be reproduced by creating an event with a script tag in the title, which is then executed when the event page is opened.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, install the Mocca Calendar application and create an event with a title that includes a script tag, such as a JavaScript alert. After saving the event, open the event page in a new tab. The script will execute before the page fully loads, demonstrating the XSS vulnerability.

Remediation

Users can update to Mocca Calendar version 2.15 to address this vulnerability.