CVE-2005-2882

Name of the Vulnerable Software and Affected Versions phpCommunityCalendar versions 4.0.3 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files. Specifically, the LocationID parameter to files like thankyou.php or day.php, the font parameter to files such as calDaily.php, calMonthly.php, and others, and other parameters like CeTi, Contact, Description, and ShowAddress to event.php are vulnerable. This can lead to cross-site scripting (XSS) attacks.

Recommendations For phpCommunityCalendar versions 4.0.3 and earlier, consider disabling the vulnerable parameters, such as LocationID, font, CeTi, Contact, Description, and ShowAddress, until a patch is available. Restrict access to the affected PHP files, including thankyou.php, day.php, calDaily.php, calMonthly.php, calMonthlyP.php, calWeekly.php, calWeeklyP.php, calYearly.php, calYearlyP.php, week.php, and event.php, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.