BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

LuxCal 3.2.2 Cross Site Request Forgery / SQL Injection

Disclosed March 10, 2014    Zeroday : 287 days

Vulnerability Description:

LuxCal is vulnerable to cross site request forgery, allowing attackers to craft malicious pages to perform actions on behalf of users who are logged in to a LuxCal instance. LuxCal is also vulnerable to SQL injection through an unsanitized ‘cal’ parameter.

Vendors:

LuxSoft

Vulnerable Software/Devices:

LuxCal 3.2.2 and possibly other versions

Vulnerability Severity:

Medium

Exploit Availability:

No Exploit Available

Exploit Impact:

SQL Injection
A remote attacker is able to change the value of certain parameters in a query within the 'cal' parameter, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.

Cross-Site Request Forgery
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 33208 - LuxCal Web Calendar Multiple Vulnerabilities (20140314) (Zero-Day)

Mitigation:

No mitigation is available.

Links:

CVE(s):

None