Headline
CVE-2022-37162: claroline-CVEs/calendar_xss.md at main · matthieu-hackwitharts/claroline-CVEs
Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS). An attacker can obtain javascript code execution by adding arbitrary javascript code in the ‘Location’ field of a calendar event.
‘Location’ stored XSS (version : 13.5.7)
Claroline Connect suffers from a stored xss vulnerability in ‘Calendar’ functionality. By adding a specific payload in the Location of an event, an attacker can trigger an xss.
User input is reflected as an href attribute in the Location parameter. Therefore it is possible to enter a payload like javascript:alert(document.domain) to execute some javascript code.
Fix suggestion : apply XSS filters on user input, and check if the entered content is a real URL.