CVE-2022-4455 in php-calendarinfo

Summary

by MITRE • 12/13/2022

A vulnerability was identified in sproctor php-calendar up to 2.0.13. This impacts an unknown function of the file index.php. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be launched remotely. The name of the patch is a2941109b42201c19733127ced763e270a357809. It is advisable to implement a patch to correct this issue.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/15/2025

The vulnerability identified in sproctor php-calendar version 2.0.13 represents a critical cross-site scripting flaw that stems from improper handling of the $_SERVER['PHP_SELF'] server variable within the index.php file. This issue falls under the CWE-79 category of Cross-Site Scripting, where malicious input is not properly sanitized before being rendered in web pages. The vulnerability exists because the application directly incorporates user-controllable data from the PHP_SELF server variable into its output without adequate validation or encoding mechanisms. The attack vector is remotely exploitable, meaning that threat actors can trigger this vulnerability through web-based attacks without requiring physical access to the target system.

The technical exploitation of this vulnerability occurs when an attacker crafts malicious input that manipulates the $_SERVER['PHP_SELF'] variable, which typically contains the path of the current script. When this manipulated value is included in the web page output without proper sanitization, it creates an XSS opportunity where JavaScript code can be executed in the context of other users' browsers. The specific patch referenced as a2941109b42201c19733127ced763e270a357809 addresses this by implementing proper input validation and output encoding mechanisms. This aligns with ATT&CK technique T1203 which describes the use of web shell commands to execute arbitrary code through web applications, and more specifically with T1059.007 which covers script-based commands in web shells.

The operational impact of this vulnerability extends beyond simple XSS attacks, as it can enable more sophisticated exploitation techniques including session hijacking, credential theft, and privilege escalation within the affected application. Attackers can leverage this vulnerability to inject malicious scripts that persist across user sessions, potentially compromising multiple users who interact with the vulnerable calendar application. The remote exploitability means that organizations need to consider their entire attack surface, as this vulnerability could be exploited from anywhere on the internet without requiring any special access privileges. Organizations should also consider that this vulnerability may be part of a broader pattern of insecure coding practices that could affect other areas of the application or similar components within the same codebase.

Mitigation strategies should include immediate implementation of the provided patch to address the specific vulnerability in the sproctor php-calendar application. Beyond patching, organizations should implement comprehensive input validation and output encoding practices throughout their web applications, particularly when handling server variables like $_SERVER['PHP_SELF']. Security measures should include content security policies to prevent unauthorized script execution, regular security code reviews, and input sanitization to prevent similar vulnerabilities from being introduced in future development cycles. The vulnerability also highlights the importance of keeping third-party components updated and monitoring for security advisories related to commonly used libraries and applications, as this represents a classic example of how outdated software can expose organizations to persistent security risks.

Responsible

VulDB

Reservation

12/13/2022

Disclosure

12/13/2022

Moderation

accepted

CPE

ready

EPSS

0.00571

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!