LuxCal is vulnerable to cross site request forgery, allowing attackers to craft malicious pages to perform actions on behalf of users who are logged in to a LuxCal instance. LuxCal is also vulnerable to SQL injection through an unsanitized ‘cal’ parameter.
LuxCal 3.2.2 and possibly other versions
No Exploit Available
A remote attacker is able to change the value of certain parameters in a query within the 'cal' parameter, allowing the attacker to query the database and possibly gain access to sensitive information. This may be leveraged to gain access to other sensitive components of a website or publicly facing infrastructure.
Cross-Site Request Forgery
Exploitation of this vulnerability is possible via forged HTML forms, sent to a victim through a number of different attack vectors (including malicious links). Attackers who successfully exploit this vulnerability may be able to take complete control of the affected device, including the ability to change arbitrary settings, such as the username and password for administering the vulnerable device.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 33208 - LuxCal Web Calendar Multiple Vulnerabilities (20140314) (Zero-Day)
No mitigation is available.