Vulnerabilites related to luxsoft - luxcal_web_calendar
Vulnerability from fkie_nvd
Published
2025-02-18 01:15
Modified
2025-09-15 17:13
Severity ?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN26024080/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/?download | Product | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:sqlite:*:*:*:*:*",
"matchCriteriaId": "F8E71986-5662-4F15-B7ED-6A23E0001A26",
"versionEndExcluding": "5.3.3l",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:mysql:*:*:*:*:*",
"matchCriteriaId": "CEED843E-600B-4996-8D3E-82AF25ABEE9E",
"versionEndExcluding": "5.3.3m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
},
{
"lang": "es",
"value": "LuxCal Web Calendar antes de 5.3.3m (versi\u00f3n MySQL) y antes de 5.3.3L (versi\u00f3n sqlite) contiene una vulnerabilidad Path Traversal en dloader.php. Si se explota esta vulnerabilidad, se pueden obtener archivos arbitrarios en un servidor."
}
],
"id": "CVE-2025-25223",
"lastModified": "2025-09-15T17:13:19.130",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-18T01:15:09.347",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN26024080/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-18 01:15
Modified
2025-09-15 17:44
Severity ?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN26024080/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/?download | Product | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:sqlite:*:*:*:*:*",
"matchCriteriaId": "F8E71986-5662-4F15-B7ED-6A23E0001A26",
"versionEndExcluding": "5.3.3l",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:mysql:*:*:*:*:*",
"matchCriteriaId": "CEED843E-600B-4996-8D3E-82AF25ABEE9E",
"versionEndExcluding": "5.3.3m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
},
{
"lang": "es",
"value": "LuxCal Web Calendar antes de 5.3.3m (versi\u00f3n MySQL) y antes de 5.3.3L (versi\u00f3n SQLite) contiene una vulnerabilidad de inyecci\u00f3n SQL en Retrieve.php. Si se explota esta vulnerabilidad, la informaci\u00f3n en una base de datos puede eliminarse, alterarse o recuperarse."
}
],
"id": "CVE-2025-25222",
"lastModified": "2025-09-15T17:44:57.600",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-18T01:15:09.210",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN26024080/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-18 01:15
Modified
2025-09-15 17:48
Severity ?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN26024080/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/?download | Product | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:sqlite:*:*:*:*:*",
"matchCriteriaId": "F8E71986-5662-4F15-B7ED-6A23E0001A26",
"versionEndExcluding": "5.3.3l",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:mysql:*:*:*:*:*",
"matchCriteriaId": "CEED843E-600B-4996-8D3E-82AF25ABEE9E",
"versionEndExcluding": "5.3.3m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
},
{
"lang": "es",
"value": "LuxCal Web Calendar antes de 5.3.3m (versi\u00f3n MySQL) y antes de 5.3.3L (versi\u00f3n SQLite) contiene una vulnerabilidad de inyecci\u00f3n SQL en PDF.PHP. Si se explota esta vulnerabilidad, la informaci\u00f3n en una base de datos puede eliminarse, alterarse o recuperarse."
}
],
"id": "CVE-2025-25221",
"lastModified": "2025-09-15T17:48:07.053",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-18T01:15:09.070",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN26024080/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-20 05:15
Modified
2024-11-21 08:29
Severity ?
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:sqlite:*:*:*",
"matchCriteriaId": "3A266C1B-1918-4316-8651-86EE836418ED",
"versionEndExcluding": "5.2.4l",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:mysql:*:*:*",
"matchCriteriaId": "666FC249-C711-437A-B205-9C9A1FE49E01",
"versionEndExcluding": "5.2.4m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en LuxCal Web Calendar anterior a 5.2.4M (versi\u00f3n MySQL) y LuxCal Web Calendar anterior a 5.2.4L (versi\u00f3n SQLite) permite a un atacante remoto no autenticado ejecutar un comando SQL arbitrario enviando una solicitud manipulada y obtener o alterar informaci\u00f3n almacenada en la base de datos."
}
],
"id": "CVE-2023-46700",
"lastModified": "2024-11-21T08:29:06.380",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-20T05:15:08.823",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Issue Tracking"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-20 05:15
Modified
2024-11-21 08:29
Severity ?
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:sqlite:*:*:*",
"matchCriteriaId": "3A266C1B-1918-4316-8651-86EE836418ED",
"versionEndExcluding": "5.2.4l",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:mysql:*:*:*",
"matchCriteriaId": "666FC249-C711-437A-B205-9C9A1FE49E01",
"versionEndExcluding": "5.2.4m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting en LuxCal Web Calendar anterior a 5.2.4M (versi\u00f3n MySQL) y LuxCal Web Calendar anterior a 5.2.4L (versi\u00f3n SQLite) permite a un atacante remoto no autenticado ejecutar un script arbitrario en el navegador web del usuario que est\u00e1 acceder al producto."
}
],
"id": "CVE-2023-47175",
"lastModified": "2024-11-21T08:29:54.350",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-20T05:15:08.953",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Issue Tracking"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-21 09:15
Modified
2024-11-21 08:16
Severity ?
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2A2C8DB-069C-43B0-B15E-8B56E92E5304",
"versionEndExcluding": "5.2.3m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "762AC990-3256-4610-BC78-35C1833DEC4E",
"versionEndExcluding": "5.2.3l",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it."
}
],
"id": "CVE-2023-39939",
"lastModified": "2024-11-21T08:16:04.723",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-21T09:15:10.280",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-21 09:15
Modified
2024-11-21 08:15
Severity ?
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D2A2C8DB-069C-43B0-B15E-8B56E92E5304",
"versionEndExcluding": "5.2.3m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "762AC990-3256-4610-BC78-35C1833DEC4E",
"versionEndExcluding": "5.2.3l",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product."
}
],
"id": "CVE-2023-39543",
"lastModified": "2024-11-21T08:15:38.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-21T09:15:09.433",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-18 01:15
Modified
2025-09-15 17:07
Severity ?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN26024080/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/?download | Product | |
| vultures@jpcert.or.jp | https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984 | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| luxsoft | luxcal_web_calendar | * | |
| luxsoft | luxcal_web_calendar | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:sqlite:*:*:*:*:*",
"matchCriteriaId": "F8E71986-5662-4F15-B7ED-6A23E0001A26",
"versionEndExcluding": "5.3.3l",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:luxsoft:luxcal_web_calendar:*:*:mysql:*:*:*:*:*",
"matchCriteriaId": "CEED843E-600B-4996-8D3E-82AF25ABEE9E",
"versionEndExcluding": "5.3.3m",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
},
{
"lang": "es",
"value": "LuxCal Web Calendar antes de 5.3.3m (versi\u00f3n MySQL) y antes de 5.3.3L (versi\u00f3n SQLite) contiene una vulnerabilidad de autenticaci\u00f3n faltante en dloader.php. Si se explota esta vulnerabilidad, se pueden obtener archivos arbitrarios en un servidor."
}
],
"id": "CVE-2025-25224",
"lastModified": "2025-09-15T17:07:37.130",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-18T01:15:09.473",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN26024080/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Product"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Release Notes"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Primary"
}
]
}
CVE-2025-25223 (GCVE-0-2025-25223)
Vulnerability from cvelistv5
Published
2025-02-18 00:11
Modified
2025-02-18 19:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | The LuxCal Web Calendar |
Version: prior to 5.3.3M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:17.527926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:16.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:36.413Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25223",
"datePublished": "2025-02-18T00:11:36.413Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:16.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25224 (GCVE-0-2025-25224)
Vulnerability from cvelistv5
Published
2025-02-18 00:12
Modified
2025-02-18 19:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing authentication for critical function
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | The LuxCal Web Calendar |
Version: prior to 5.3.3M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:12:59.444452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:03.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:12:21.912Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25224",
"datePublished": "2025-02-18T00:12:21.912Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:03.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47175 (GCVE-0-2023-47175)
Vulnerability from cvelistv5
Published
2023-11-20 04:47
Modified
2024-08-29 13:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | LuxCal Web Calendar |
Version: prior to 5.2.4M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:41:50.710965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:42:55.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T04:47:17.899Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47175",
"datePublished": "2023-11-20T04:47:17.899Z",
"dateReserved": "2023-11-15T23:38:03.453Z",
"dateUpdated": "2024-08-29T13:42:55.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25222 (GCVE-0-2025-25222)
Vulnerability from cvelistv5
Published
2025-02-18 00:11
Modified
2025-02-18 19:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | The LuxCal Web Calendar |
Version: prior to 5.3.3M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:37.186935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:28.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:03.172Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25222",
"datePublished": "2025-02-18T00:11:03.172Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:28.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46700 (GCVE-0-2023-46700)
Vulnerability from cvelistv5
Published
2023-11-20 04:47
Modified
2024-08-29 13:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- SQL Injection
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | LuxCal Web Calendar |
Version: prior to 5.2.4M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:43:47.411906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:44:41.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T04:47:07.850Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46700",
"datePublished": "2023-11-20T04:47:07.850Z",
"dateReserved": "2023-11-15T23:38:04.375Z",
"dateUpdated": "2024-08-29T13:44:41.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25221 (GCVE-0-2025-25221)
Vulnerability from cvelistv5
Published
2025-02-18 00:10
Modified
2025-02-18 15:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | The LuxCal Web Calendar |
Version: prior to 5.3.3M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:24:31.523522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:24:46.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:10:25.747Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25221",
"datePublished": "2025-02-18T00:10:25.747Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T15:24:46.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39939 (GCVE-0-2023-39939)
Vulnerability from cvelistv5
Published
2023-08-21 08:14
Modified
2024-10-04 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- SQL Injection
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | LuxCal Web Calendar |
Version: prior to 5.2.3M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "web_calendar",
"vendor": "luxcal",
"versions": [
{
"lessThan": "5.2.3M",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.3L",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T17:49:34.146076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T17:53:12.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T08:14:23.575Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-39939",
"datePublished": "2023-08-21T08:14:23.575Z",
"dateReserved": "2023-08-09T02:20:31.626Z",
"dateUpdated": "2024-10-04T17:53:12.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39543 (GCVE-0-2023-39543)
Vulnerability from cvelistv5
Published
2023-08-21 08:14
Modified
2024-10-04 17:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting (XSS)
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | LuxSoft | LuxCal Web Calendar |
Version: prior to 5.2.3M (MySQL version) |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T17:54:41.002453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T17:54:52.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T08:14:05.711Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-39543",
"datePublished": "2023-08-21T08:14:05.711Z",
"dateReserved": "2023-08-09T02:20:26.225Z",
"dateUpdated": "2024-10-04T17:54:52.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}