XWiki Mocca Calendar Application Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the XWiki Mocca Calendar application, specifically in versions prior to 2.15. The issue arises during calendar imports, where event titles are not properly escaped. This flaw allows users with view rights on the calendar to execute scripts by importing events with maliciously crafted titles. The vulnerability can be exploited by opening the event page after import, where the script execution occurs.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the event page.

Reproduction

To reproduce this vulnerability, install the Mocca Calendar application and import a calendar containing an event with a script tag in the title, such as a JavaScript alert. After importing, open the event page in a new tab. The script will execute before the page fully loads.

Remediation

Users can update to Mocca Calendar version 2.15, where this vulnerability has been patched.