Secunia

Janek Vind "waraxe" has reported three vulnerabilities in nukeKalender, allowing malicious people to conduct Cross Site Scripting and SQL injection attacks.

1) Several scripts return error messages containing the full installation path if called directly, or invalid input is supplied. This may provide an attacker with useful information for other attacks.

2) Certain input passed isn't properly verified before being returned to the user. This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious website or follow a specially crafted link.

Example:
modules.php?op=modload&name=Kalender&file=index&type=view&eid=<malicious_code>

3) Input passed to certain parameters isn't properly verified before being used in an SQL query. This can be exploited by malicious people to manipulate SQL queries by injecting arbitrary SQL code. An example has been published, which extracts the administrative username and hashed password.

Example:
modules.php?op=modload&name=Kalender&file=index&type=view&eid=-1[malicious_SQL]

This has been reported in version 1.1a. Other versions may also be affected.

Solution
Update to KalenderMx 1.3 or later.
Further details available in Customer Area

Provided and/or discovered by
Janek Vind "waraxe"

Changelog
Further details available in Customer Area

Deep Links
Links available in Customer Area