CVE-2014-10014

Name of the Vulnerable Software and Affected Versions PHPJabbers Event Booking Calendar version 2.0

Description The issue affects the authentication of administrators, allowing remote attackers to hijack it for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, attackers can change the administrator's username and password via an update action to the "AdminOptions" controller. Additionally, cross-site scripting (XSS) attacks can be conducted using the event title parameter in a create action to the "AdminEvents" controller or the category title parameter in a create action to the "AdminCategories" controller.

Recommendations For PHPJabbers Event Booking Calendar version 2.0, consider disabling the update action to the AdminOptions controller, and restrict access to the create actions in the AdminEvents and AdminCategories controllers to minimize the risk of exploitation. Avoid using the event title and category title parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.