CVE-2010-0636

Name of the Vulnerable Software and Affected Versions WebCalendar versions 1.2.0 through 1.2.5

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the tab parameter to "users.php" and the PATH INFO to "day.php", "month.php", and "week.php".

Recommendations For WebCalendar versions 1.2.0 through 1.2.5, consider updating to a version newer than 1.2.5 to resolve the issue. As a temporary workaround, restrict access to the vulnerable API endpoints, specifically "users.php", "day.php", "month.php", and "week.php", and avoid using the tab parameter until a patch is available.