Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
EMS Master Calendar Reflected XSS Vulnerability (<
Data input into EMS Master Calendar before via URL parameters are not properly sanitized, allowing malicious attackers to send a crafted URL and execute code in the context of the user's browser.
Additional Information:
CVE-Reference: CVE-2018-11628
Product: EMS Master Calendar
Vendor: EMS Software
Vulnerable Version: Before
Vulnerability Type: Reflective Cross Site Scripting (XSS)
Attack Type: Remote
Attack Vector: Injection into vulnerable URL parameter
Vendor Acknowledged: True
Vendor Notification Timeline:
1. 5/8/2018: Contacted EMS Software to report vulnerability.
2. 5/14/2018: EMS Software responded with acknowledgement of vulnerability and information regarding the patched software version number.
3. 5/31/2018: Submitted to MITRE for CVE assignment
Mitigation: EMS Software responded that they have patched the product and advise updating it to a version after to remediate the XSS vulnerability in the Master Calendar component.
Discovered and Provided:
- Chris Barretto of OCD Tech
- cbarretto[at]
- @TheOCDTech
Additional References:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.