WebCalendar Multiple CSS and CSRF Vulnerabilities

Summary
The host is running WebCalendar and is prone to multiple CSS and CSRF Vulnerabilities.
Impact
Successful exploitation could allow attackers to conduct cross-site scripting and request forgery attacks. Impact Level: Application
Solution
Upgrade to WebCalendar version 1.2.1 or later For updates refer to http://www.k5n.us/webcalendar.php?topic=Download
Insight
- Input passed to the 'tab' parameter in 'users.php' is not properly sanitised before being returned to the user. - Input appended to the URL after 'day.php', 'month.php', and 'week.php' is not properly sanitised before being returned to the user. - The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to delete an event, ban an IP address from posting, or change the administrative password if a logged-in administrative user visits a malicious web site.
Affected
WebCalendar version 1.2.0 and prior.
References