CVE-2021-42078

Name of the Vulnerable Software and Affected Versions PHP Event Calendar through 2021-11-04

Description The issue allows for persistent cross-site scripting (XSS) and can be exploited by an adversary in multiple ways, such as performing actions on the page in the context of other users or defacing the site. This is demonstrated by the /server/ajax/events manager.php API endpoint, specifically the title parameter.

Recommendations For PHP Event Calendar through 2021-11-04, consider disabling the /server/ajax/events manager.php API endpoint or restricting access to the title parameter until a patch is available. As a temporary workaround, avoid using the title parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.