Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
23 vulnerabilities by LuxSoft
CVE-2025-25224 (GCVE-0-2025-25224)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:12 – Updated: 2025-02-18 19:29
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:12:59.444452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:03.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:12:21.912Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25224",
"datePublished": "2025-02-18T00:12:21.912Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:03.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25223 (GCVE-0-2025-25223)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:17.527926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:16.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:36.413Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25223",
"datePublished": "2025-02-18T00:11:36.413Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:16.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25222 (GCVE-0-2025-25222)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:37.186935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:28.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:03.172Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25222",
"datePublished": "2025-02-18T00:11:03.172Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:28.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25221 (GCVE-0-2025-25221)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:10 – Updated: 2025-02-18 15:24
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:24:31.523522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:24:46.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:10:25.747Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25221",
"datePublished": "2025-02-18T00:10:25.747Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T15:24:46.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47175 (GCVE-0-2023-47175)
Vulnerability from cvelistv5 – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:42
VLAI
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4L (SQLite version)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:41:50.710965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:42:55.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T04:47:17.899Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47175",
"datePublished": "2023-11-20T04:47:17.899Z",
"dateReserved": "2023-11-15T23:38:03.453Z",
"dateUpdated": "2024-08-29T13:42:55.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46700 (GCVE-0-2023-46700)
Vulnerability from cvelistv5 – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:44
VLAI
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- SQL Injection
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4L (SQLite version)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:43:47.411906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:44:41.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T04:47:07.850Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46700",
"datePublished": "2023-11-20T04:47:07.850Z",
"dateReserved": "2023-11-15T23:38:04.375Z",
"dateUpdated": "2024-08-29T13:44:41.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39939 (GCVE-0-2023-39939)
Vulnerability from cvelistv5 – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:53
VLAI
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- SQL Injection
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3L (SQLite version)
|
|
| luxcal | web_calendar |
Affected:
0 , < 5.2.3M
(custom)
Affected: 0 , < 5.2.3L (custom) cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "web_calendar",
"vendor": "luxcal",
"versions": [
{
"lessThan": "5.2.3M",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.3L",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T17:49:34.146076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T17:53:12.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T08:14:23.575Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-39939",
"datePublished": "2023-08-21T08:14:23.575Z",
"dateReserved": "2023-08-09T02:20:31.626Z",
"dateUpdated": "2024-10-04T17:53:12.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39543 (GCVE-0-2023-39543)
Vulnerability from cvelistv5 – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:54
VLAI
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T17:54:41.002453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T17:54:52.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T08:14:05.711Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-39543",
"datePublished": "2023-08-21T08:14:05.711Z",
"dateReserved": "2023-08-09T02:20:26.225Z",
"dateUpdated": "2024-10-04T17:54:52.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45914 (GCVE-0-2021-45914)
Vulnerability from cvelistv5 – Published: 2022-05-24 14:32 – Updated: 2024-08-04 04:54
VLAI
Summary
In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/h1pmnh | x_refsource_MISC |
| https://twitter.com/h1pmnh | x_refsource_MISC |
| https://www.luxsoft.eu/index.php?pge=dload | x_refsource_CONFIRM |
| https://h1pmnh.github.io/post/cve-luxcal-2021/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:30.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:32:59.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45914",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/h1pmnh",
"refsource": "MISC",
"url": "https://github.com/h1pmnh"
},
{
"name": "https://twitter.com/h1pmnh",
"refsource": "MISC",
"url": "https://twitter.com/h1pmnh"
},
{
"name": "https://www.luxsoft.eu/index.php?pge=dload",
"refsource": "CONFIRM",
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"name": "https://h1pmnh.github.io/post/cve-luxcal-2021/",
"refsource": "MISC",
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45914",
"datePublished": "2022-05-24T14:32:59.000Z",
"dateReserved": "2021-12-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:54:30.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45915 (GCVE-0-2021-45915)
Vulnerability from cvelistv5 – Published: 2022-05-24 14:32 – Updated: 2024-08-04 04:54
VLAI
Summary
In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/h1pmnh | x_refsource_MISC |
| https://twitter.com/h1pmnh | x_refsource_MISC |
| https://www.luxsoft.eu/index.php?pge=dload | x_refsource_CONFIRM |
| https://h1pmnh.github.io/post/cve-luxcal-2021/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:31.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:32:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45915",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/h1pmnh",
"refsource": "MISC",
"url": "https://github.com/h1pmnh"
},
{
"name": "https://twitter.com/h1pmnh",
"refsource": "MISC",
"url": "https://twitter.com/h1pmnh"
},
{
"name": "https://www.luxsoft.eu/index.php?pge=dload",
"refsource": "CONFIRM",
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"name": "https://h1pmnh.github.io/post/cve-luxcal-2021/",
"refsource": "MISC",
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45915",
"datePublished": "2022-05-24T14:32:44.000Z",
"dateReserved": "2021-12-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:54:31.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25224 (GCVE-0-2025-25224)
Vulnerability from nvd – Published: 2025-02-18 00:12 – Updated: 2025-02-18 19:29
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:12:59.444452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:03.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:12:21.912Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25224",
"datePublished": "2025-02-18T00:12:21.912Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:03.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25223 (GCVE-0-2025-25223)
Vulnerability from nvd – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:17.527926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:16.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:36.413Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25223",
"datePublished": "2025-02-18T00:11:36.413Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:16.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25222 (GCVE-0-2025-25222)
Vulnerability from nvd – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:37.186935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:28.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:03.172Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25222",
"datePublished": "2025-02-18T00:11:03.172Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:28.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25221 (GCVE-0-2025-25221)
Vulnerability from nvd – Published: 2025-02-18 00:10 – Updated: 2025-02-18 15:24
VLAI
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:24:31.523522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:24:46.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:10:25.747Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25221",
"datePublished": "2025-02-18T00:10:25.747Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T15:24:46.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47175 (GCVE-0-2023-47175)
Vulnerability from nvd – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:42
VLAI
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4L (SQLite version)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:41:50.710965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:42:55.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T04:47:17.899Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-47175",
"datePublished": "2023-11-20T04:47:17.899Z",
"dateReserved": "2023-11-15T23:38:03.453Z",
"dateUpdated": "2024-08-29T13:42:55.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46700 (GCVE-0-2023-46700)
Vulnerability from nvd – Published: 2023-11-20 04:47 – Updated: 2024-08-29 13:44
VLAI
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- SQL Injection
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.4L (SQLite version)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T13:43:47.411906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T13:44:41.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.4L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary SQL command by sending a crafted request, and obtain or alter information stored in the database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-20T04:47:07.850Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?id=476"
},
{
"url": "https://jvn.jp/en/jp/JVN15005948/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-46700",
"datePublished": "2023-11-20T04:47:07.850Z",
"dateReserved": "2023-11-15T23:38:04.375Z",
"dateUpdated": "2024-08-29T13:44:41.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39939 (GCVE-0-2023-39939)
Vulnerability from nvd – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:53
VLAI
Summary
SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- SQL Injection
Assigner
References
3 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3L (SQLite version)
|
|
| luxcal | web_calendar |
Affected:
0 , < 5.2.3M
(custom)
Affected: 0 , < 5.2.3L (custom) cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:luxcal:web_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "web_calendar",
"vendor": "luxcal",
"versions": [
{
"lessThan": "5.2.3M",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.2.3L",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39939",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T17:49:34.146076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T17:53:12.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute arbitrary queries against the database and obtain or alter the information in it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T08:14:23.575Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-39939",
"datePublished": "2023-08-21T08:14:23.575Z",
"dateReserved": "2023-08-09T02:20:31.626Z",
"dateUpdated": "2024-10-04T17:53:12.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39543 (GCVE-0-2023-39543)
Vulnerability from nvd – Published: 2023-08-21 08:14 – Updated: 2024-10-04 17:54
VLAI
Summary
Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3M (MySQL version)
|
|
| LuxSoft | LuxCal Web Calendar |
Affected:
prior to 5.2.3L (SQLite version)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.luxsoft.eu/?download"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T17:54:41.002453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T17:54:52.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3M (MySQL version)"
}
]
},
{
"product": "LuxCal Web Calendar",
"vendor": "LuxSoft ",
"versions": [
{
"status": "affected",
"version": "prior to 5.2.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M (MySQL version) and LuxCal Web Calendar prior to 5.2.3L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-21T08:14:05.711Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/"
},
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://jvn.jp/en/jp/JVN04876736/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-39543",
"datePublished": "2023-08-21T08:14:05.711Z",
"dateReserved": "2023-08-09T02:20:26.225Z",
"dateUpdated": "2024-10-04T17:54:52.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45915 (GCVE-0-2021-45915)
Vulnerability from nvd – Published: 2022-05-24 14:32 – Updated: 2024-08-04 04:54
VLAI
Summary
In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/h1pmnh | x_refsource_MISC |
| https://twitter.com/h1pmnh | x_refsource_MISC |
| https://www.luxsoft.eu/index.php?pge=dload | x_refsource_CONFIRM |
| https://h1pmnh.github.io/post/cve-luxcal-2021/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:31.026Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:32:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45915",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a cookie value. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/h1pmnh",
"refsource": "MISC",
"url": "https://github.com/h1pmnh"
},
{
"name": "https://twitter.com/h1pmnh",
"refsource": "MISC",
"url": "https://twitter.com/h1pmnh"
},
{
"name": "https://www.luxsoft.eu/index.php?pge=dload",
"refsource": "CONFIRM",
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"name": "https://h1pmnh.github.io/post/cve-luxcal-2021/",
"refsource": "MISC",
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45915",
"datePublished": "2022-05-24T14:32:44.000Z",
"dateReserved": "2021-12-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:54:31.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45914 (GCVE-0-2021-45914)
Vulnerability from nvd – Published: 2022-05-24 14:32 – Updated: 2024-08-04 04:54
VLAI
Summary
In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/h1pmnh | x_refsource_MISC |
| https://twitter.com/h1pmnh | x_refsource_MISC |
| https://www.luxsoft.eu/index.php?pge=dload | x_refsource_CONFIRM |
| https://h1pmnh.github.io/post/cve-luxcal-2021/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:30.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T14:32:59.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h1pmnh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/h1pmnh"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45914",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In LuxSoft LuxCal Web Calendar before 5.2.0, an unauthenticated attacker can manipulate a POST request. This allows the attacker\u0027s session to be authenticated as any registered LuxCal user, including the site administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/h1pmnh",
"refsource": "MISC",
"url": "https://github.com/h1pmnh"
},
{
"name": "https://twitter.com/h1pmnh",
"refsource": "MISC",
"url": "https://twitter.com/h1pmnh"
},
{
"name": "https://www.luxsoft.eu/index.php?pge=dload",
"refsource": "CONFIRM",
"url": "https://www.luxsoft.eu/index.php?pge=dload"
},
{
"name": "https://h1pmnh.github.io/post/cve-luxcal-2021/",
"refsource": "MISC",
"url": "https://h1pmnh.github.io/post/cve-luxcal-2021/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45914",
"datePublished": "2022-05-24T14:32:59.000Z",
"dateReserved": "2021-12-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:54:30.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2025-000012
Vulnerability from jvndb - Published: 2025-02-17 13:43 - Updated:2025-02-17 13:43
Severity
Summary
Multiple vulnerabilities in The LuxCal Web Calendar
Details
The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
- SQL injection in pdf.php (CWE-89) - CVE-2025-25221
- SQL injection in retrieve.php (CWE-89) - CVE-2025-25222
- Path traversal in dloader.php (CWE-22) - CVE-2025-25223
- Missing authentication in dloader.php (CWE-306) - CVE-2025-25224
References
| Type | URL | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000012.html",
"dc:date": "2025-02-17T13:43+09:00",
"dcterms:issued": "2025-02-17T13:43+09:00",
"dcterms:modified": "2025-02-17T13:43+09:00",
"description": "The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eSQL injection in pdf.php (CWE-89) - CVE-2025-25221\u003c/li\u003e\r\n\u003cli\u003eSQL injection in retrieve.php (CWE-89) - CVE-2025-25222\u003c/li\u003e\r\n\u003cli\u003ePath traversal in dloader.php (CWE-22) - CVE-2025-25223\u003c/li\u003e\r\n\u003cli\u003eMissing authentication in dloader.php (CWE-306) - CVE-2025-25224\u003c/li\u003e\u003c/ul\u003e\r\n\r\nCVE-2025-25221, CVE-2025-25222\r\nRikuto Tauchi reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2025-25223, CVE-2025-25224\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000012.html",
"sec:cpe": {
"#text": "cpe:/a:luxsoft:luxcal_web_calendar",
"@product": "The LuxCal Web Calendar",
"@vendor": "LuxSoft",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000012",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN26024080/index.html",
"@id": "JVN#26024080",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25221",
"@id": "CVE-2025-25221",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25222",
"@id": "CVE-2025-25222",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25223",
"@id": "CVE-2025-25223",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25224",
"@id": "CVE-2025-25224",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in The LuxCal Web Calendar"
}
JVNDB-2023-000117
Vulnerability from jvndb - Published: 2023-11-20 17:15 - Updated:2023-11-20 17:15
Severity
Summary
Multiple vulnerabilities in LuxCal Web Calendar
Details
LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
- SQL injection (CWE-89) - CVE-2023-46700
- Cross-site scripting (CWE-79) - CVE-2023-47175
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000117.html",
"dc:date": "2023-11-20T17:15+09:00",
"dcterms:issued": "2023-11-20T17:15+09:00",
"dcterms:modified": "2023-11-20T17:15+09:00",
"description": "LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.\r\n\r\n\u003cul\u003e\u003cli\u003eSQL injection (CWE-89) - CVE-2023-46700\u003c/li\u003e\u003cli\u003eCross-site scripting (CWE-79) - CVE-2023-47175\u003c/li\u003e\u003c/ul\u003e\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000117.html",
"sec:cpe": {
"#text": "cpe:/a:luxsoft:luxcal_web_calendar",
"@product": "The LuxCal Web Calendar",
"@vendor": "LuxSoft",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000117",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN15005948/index.html",
"@id": "JVN#15005948",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46700",
"@id": "CVE-2023-46700",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-47175",
"@id": "CVE-2023-47175",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46700",
"@id": "CVE-2023-46700",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47175",
"@id": "CVE-2023-47175",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "Multiple vulnerabilities in LuxCal Web Calendar"
}
JVNDB-2023-000083
Vulnerability from jvndb - Published: 2023-08-21 13:29 - Updated:2024-03-26 17:09
Severity
Summary
Multiple vulnerabilities in LuxCal Web Calendar
Details
LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
* Cross-site scripting (CWE-79) - CVE-2023-39543
* SQL injection (CWE-89) - CVE-2023-39939
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000083.html",
"dc:date": "2024-03-26T17:09+09:00",
"dcterms:issued": "2023-08-21T13:29+09:00",
"dcterms:modified": "2024-03-26T17:09+09:00",
"description": "LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.\r\n\r\n * Cross-site scripting (CWE-79) - CVE-2023-39543\r\n * SQL injection (CWE-89) - CVE-2023-39939\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000083.html",
"sec:cpe": {
"#text": "cpe:/a:luxsoft:luxcal_web_calendar",
"@product": "The LuxCal Web Calendar",
"@vendor": "LuxSoft",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000083",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN04876736/index.html",
"@id": "JVN#04876736",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-39543",
"@id": "CVE-2023-39543",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-39939",
"@id": "CVE-2023-39939",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-39543",
"@id": "CVE-2023-39543",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-39939",
"@id": "CVE-2023-39939",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "Multiple vulnerabilities in LuxCal Web Calendar"
}