Ignacio Garcia Mestre

**Name of the Vulnerable Software and Affected Versions** TeamCal Neo version 3.8.2 **Description** The issue is a SQL injection vulnerability that could allow an attacker to retrieve, update, and delete all database information by injecting a malicious SQL statement via the `abs` parameter in the `/teamcal/src/index.php` API endpoint. **Recommendations** For TeamCal Neo version 3.8.2, consider disabling the `abs` parameter in the `/teamcal/src/index.php` API endpoint until a patch is available. Restrict access to the `/teamcal/src/index.php` endpoint to minimize the risk of exploitation. Avoid using the `abs` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TeamCal Neo version 3.8.2 **Description** The issue is a Reflected Cross-Site Scripting (XSS) that allows an attacker to execute malicious JavaScript code. This is achieved by injecting code via the `abs` parameter in the "/teamcal/src/index.php" API endpoint. **Recommendations** For TeamCal Neo version 3.8.2, avoid using the `abs` parameter in the "/teamcal/src/index.php" endpoint until a fix is available. Consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.