HTB23143: Geeklog 1.8.2 Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting (XSS) vulnerability has been discovered in Geeklog version 1.8.2.

HTB23143 security advisory describes XSS in "calendar_type" HTTP POST parameter passed to "calendar/index.php" script. Exploitation example for this medium-risk (CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)) vulnerability available on security researcher's page.

Solution available for this issue: upgrade to Geeklog 1.8.2sr1.

More about Cross-site scripting, a vulnerability in web applications which attackers may exploit to steal users' information, can be read on WikiPedia.