Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for luxcal_web_calendar by luxsoft

    CVE-2025-25224 (GCVE-0-2025-25224)

    Vulnerability from nvd – Published: 2025-02-18 00:12 – Updated: 2025-02-18 19:29
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing authentication for critical function
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25224",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T17:12:59.444452Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T19:29:03.746Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing authentication for critical function",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:12:21.912Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25224",
        "datePublished": "2025-02-18T00:12:21.912Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T19:29:03.746Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25223 (GCVE-0-2025-25223)

    Vulnerability from nvd – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T17:13:17.527926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T19:29:16.869Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:11:36.413Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25223",
        "datePublished": "2025-02-18T00:11:36.413Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T19:29:16.869Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25222 (GCVE-0-2025-25222)

    Vulnerability from nvd – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T17:13:37.186935Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T19:29:28.127Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:11:03.172Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25222",
        "datePublished": "2025-02-18T00:11:03.172Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T19:29:28.127Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25221 (GCVE-0-2025-25221)

    Vulnerability from nvd – Published: 2025-02-18 00:10 – Updated: 2025-02-18 15:24
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25221",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T15:24:31.523522Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T15:24:46.624Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:10:25.747Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25221",
        "datePublished": "2025-02-18T00:10:25.747Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T15:24:46.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-47175 (GCVE-0-2023-47175)

    Vulnerability from nvd – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:42
    VLAI
    Summary
    Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:01:22.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN15005948/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47175",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-29T13:41:50.710965Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T13:42:55.072Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-20T04:47:17.899Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15005948/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-47175",
        "datePublished": "2023-11-20T04:47:17.899Z",
        "dateReserved": "2023-11-15T23:38:03.453Z",
        "dateUpdated": "2024-08-29T13:42:55.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-46700 (GCVE-0-2023-46700)

    Vulnerability from nvd – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:44
    VLAI
    Summary
    SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:53:21.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN15005948/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-46700",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-29T13:43:47.411906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T13:44:41.371Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-20T04:47:07.850Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15005948/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-46700",
        "datePublished": "2023-11-20T04:47:07.850Z",
        "dateReserved": "2023-11-15T23:38:04.375Z",
        "dateUpdated": "2024-08-29T13:44:41.371Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39939 (GCVE-0-2023-39939)

    Vulnerability from nvd – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:53
    VLAI
    Summary
    SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3L (SQLite version)
    Create a notification for this product.
    luxcal web_calendar Affected: 0 , < 5.2.3M (custom)
    Affected: 0 , < 5.2.3L (custom)
        cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:18:10.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04876736/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "web_calendar",
                "vendor": "luxcal",
                "versions": [
                  {
                    "lessThan": "5.2.3M",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.2.3L",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39939",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T17:49:34.146076Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T17:53:12.775Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-21T08:14:23.575Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04876736/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-39939",
        "datePublished": "2023-08-21T08:14:23.575Z",
        "dateReserved": "2023-08-09T02:20:31.626Z",
        "dateUpdated": "2024-10-04T17:53:12.775Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39543 (GCVE-0-2023-39543)

    Vulnerability from nvd – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:54
    VLAI
    Summary
    Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:21.207Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04876736/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39543",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T17:54:41.002453Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T17:54:52.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-21T08:14:05.711Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04876736/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-39543",
        "datePublished": "2023-08-21T08:14:05.711Z",
        "dateReserved": "2023-08-09T02:20:26.225Z",
        "dateUpdated": "2024-10-04T17:54:52.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25224 (GCVE-0-2025-25224)

    Vulnerability from cvelistv5 – Published: 2025-02-18 00:12 – Updated: 2025-02-18 19:29
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing authentication for critical function
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25224",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T17:12:59.444452Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T19:29:03.746Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing authentication for critical function",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:12:21.912Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25224",
        "datePublished": "2025-02-18T00:12:21.912Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T19:29:03.746Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25223 (GCVE-0-2025-25223)

    Vulnerability from cvelistv5 – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T17:13:17.527926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T19:29:16.869Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:11:36.413Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25223",
        "datePublished": "2025-02-18T00:11:36.413Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T19:29:16.869Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25222 (GCVE-0-2025-25222)

    Vulnerability from cvelistv5 – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T17:13:37.186935Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T19:29:28.127Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:11:03.172Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25222",
        "datePublished": "2025-02-18T00:11:03.172Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T19:29:28.127Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25221 (GCVE-0-2025-25221)

    Vulnerability from cvelistv5 – Published: 2025-02-18 00:10 – Updated: 2025-02-18 15:24
    VLAI
    Summary
    The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3M (MySQL version)
    Create a notification for this product.
    LuxSoft The LuxCal Web Calendar Affected: prior to 5.3.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25221",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T15:24:31.523522Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T15:24:46.624Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "The LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.3.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-18T00:10:25.747Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN26024080/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-25221",
        "datePublished": "2025-02-18T00:10:25.747Z",
        "dateReserved": "2025-02-04T05:38:52.829Z",
        "dateUpdated": "2025-02-18T15:24:46.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-47175 (GCVE-0-2023-47175)

    Vulnerability from cvelistv5 – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:42
    VLAI
    Summary
    Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:01:22.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN15005948/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-47175",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-29T13:41:50.710965Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T13:42:55.072Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-20T04:47:17.899Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15005948/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-47175",
        "datePublished": "2023-11-20T04:47:17.899Z",
        "dateReserved": "2023-11-15T23:38:03.453Z",
        "dateUpdated": "2024-08-29T13:42:55.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-46700 (GCVE-0-2023-46700)

    Vulnerability from cvelistv5 – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:44
    VLAI
    Summary
    SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.4L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:53:21.534Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN15005948/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-46700",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-29T13:43:47.411906Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T13:44:41.371Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.4L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-20T04:47:07.850Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN15005948/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-46700",
        "datePublished": "2023-11-20T04:47:07.850Z",
        "dateReserved": "2023-11-15T23:38:04.375Z",
        "dateUpdated": "2024-08-29T13:44:41.371Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39939 (GCVE-0-2023-39939)

    Vulnerability from cvelistv5 – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:53
    VLAI
    Summary
    SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • SQL Injection
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3L (SQLite version)
    Create a notification for this product.
    luxcal web_calendar Affected: 0 , < 5.2.3M (custom)
    Affected: 0 , < 5.2.3L (custom)
        cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:18:10.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04876736/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "web_calendar",
                "vendor": "luxcal",
                "versions": [
                  {
                    "lessThan": "5.2.3M",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "5.2.3L",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39939",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T17:49:34.146076Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T17:53:12.775Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-21T08:14:23.575Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04876736/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-39939",
        "datePublished": "2023-08-21T08:14:23.575Z",
        "dateReserved": "2023-08-09T02:20:31.626Z",
        "dateUpdated": "2024-10-04T17:53:12.775Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39543 (GCVE-0-2023-39543)

    Vulnerability from cvelistv5 – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:54
    VLAI
    Summary
    Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3M (MySQL version)
    Create a notification for this product.
    LuxSoft LuxCal Web Calendar Affected: prior to 5.2.3L (SQLite version)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:21.207Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.luxsoft.eu/?download"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN04876736/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39543",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T17:54:41.002453Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T17:54:52.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3M (MySQL version)"
                }
              ]
            },
            {
              "product": "LuxCal Web Calendar",
              "vendor": "LuxSoft ",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 5.2.3L (SQLite version)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-21T08:14:05.711Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.luxsoft.eu/"
            },
            {
              "url": "https://www.luxsoft.eu/?download"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN04876736/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-39543",
        "datePublished": "2023-08-21T08:14:05.711Z",
        "dateReserved": "2023-08-09T02:20:26.225Z",
        "dateUpdated": "2024-10-04T17:54:52.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }