Description
The Add To Calendar module provides a widget that renders calendar event metadata as structured HTML, enabling visitors to add events to their preferred calendar applications.
The module doesn't apply "check_plain()" to the values written into "<var>" HTML elements in "addtocalendar_preprocess_field()", including the event title, description, location, organizer, organizer email, start and end dates, timezone, and privacy setting sourced from entity fields, the entity label, or token-processed values.
This vulnerability is mitigated by the requirement that an attacker have permission to create or edit content entities that have the Add To Calendar formatter configured, limiting the attack surface to authenticated users with content editing roles.
Solution
Install the latest version.
If you use the Add To Calendar Button (AddEvent.com) module for Drupal 7, upgrade to addtocalendar 7.x-1.2:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES