Claroline Connect suffers from a stored xss vulnerability in 'Calendar' functionality. By adding a specific payload in the Location of an event, an attacker can
trigger an xss.
User input is reflected as an href attribute in the Location parameter. Therefore it is possible to enter a payload like javascript:alert(document.domain)
to execute some javascript code.
Fix suggestion : apply XSS filters on user input, and check if the entered content is a real URL.