# Vulnerability Title: Stored Cross Site Scripting - Special Days Module
# Vendor Homepage: https://pandorafms.com/en/
# Version: <= v767
# CVE: CVE-2023-24516
# CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4 Medium)
# Exploit Author: Gaurish Kauthankar
# Date: 22/08/2023
- Create a calendar entry as an attacker.
- Click on the special days button.
- Select a random date and select the group value as all (to target high-privilege users like admins).
- Add the XSS payload in the description field.
- Browse the special days module as an admin and hover over the info icon.
- The XSS payload will be executed.