Search criteria
11 vulnerabilities found for The LuxCal Web Calendar by LuxSoft
CVE-2025-25224 (GCVE-0-2025-25224)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:12 – Updated: 2025-02-18 19:29
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity ?
5.3 (Medium)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:12:59.444452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:03.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:12:21.912Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25224",
"datePublished": "2025-02-18T00:12:21.912Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:03.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25223 (GCVE-0-2025-25223)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity ?
5.8 (Medium)
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:17.527926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:16.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:36.413Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25223",
"datePublished": "2025-02-18T00:11:36.413Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:16.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25222 (GCVE-0-2025-25222)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity ?
7.3 (High)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:37.186935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:28.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:03.172Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25222",
"datePublished": "2025-02-18T00:11:03.172Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:28.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25221 (GCVE-0-2025-25221)
Vulnerability from cvelistv5 – Published: 2025-02-18 00:10 – Updated: 2025-02-18 15:24
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity ?
7.3 (High)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:24:31.523522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:24:46.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:10:25.747Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25221",
"datePublished": "2025-02-18T00:10:25.747Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T15:24:46.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25224 (GCVE-0-2025-25224)
Vulnerability from nvd – Published: 2025-02-18 00:12 – Updated: 2025-02-18 19:29
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity ?
5.3 (Medium)
CWE
- CWE-306 - Missing authentication for critical function
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:12:59.444452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:03.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing authentication for critical function",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:12:21.912Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25224",
"datePublished": "2025-02-18T00:12:21.912Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:03.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25223 (GCVE-0-2025-25223)
Vulnerability from nvd – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
Severity ?
5.8 (Medium)
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:17.527926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:16.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:36.413Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25223",
"datePublished": "2025-02-18T00:11:36.413Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:16.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25222 (GCVE-0-2025-25222)
Vulnerability from nvd – Published: 2025-02-18 00:11 – Updated: 2025-02-18 19:29
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity ?
7.3 (High)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:13:37.186935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:29:28.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:11:03.172Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25222",
"datePublished": "2025-02-18T00:11:03.172Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T19:29:28.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25221 (GCVE-0-2025-25221)
Vulnerability from nvd – Published: 2025-02-18 00:10 – Updated: 2025-02-18 15:24
VLAI?
Summary
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
Severity ?
7.3 (High)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| LuxSoft | The LuxCal Web Calendar |
Affected:
prior to 5.3.3M (MySQL version)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:24:31.523522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:24:46.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3M (MySQL version)"
}
]
},
{
"product": "The LuxCal Web Calendar",
"vendor": "LuxSoft",
"versions": [
{
"status": "affected",
"version": "prior to 5.3.3L (SQLite version)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T00:10:25.747Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.luxsoft.eu/?download"
},
{
"url": "https://www.luxsoft.eu/lcforum/viewtopic.php?pid=1984#p1984"
},
{
"url": "https://jvn.jp/en/jp/JVN26024080/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-25221",
"datePublished": "2025-02-18T00:10:25.747Z",
"dateReserved": "2025-02-04T05:38:52.829Z",
"dateUpdated": "2025-02-18T15:24:46.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2025-000012
Vulnerability from jvndb - Published: 2025-02-17 13:43 - Updated:2025-02-17 13:43
Severity ?
Summary
Multiple vulnerabilities in The LuxCal Web Calendar
Details
The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
- SQL injection in pdf.php (CWE-89) - CVE-2025-25221
- SQL injection in retrieve.php (CWE-89) - CVE-2025-25222
- Path traversal in dloader.php (CWE-22) - CVE-2025-25223
- Missing authentication in dloader.php (CWE-306) - CVE-2025-25224
References
| Type | URL | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000012.html",
"dc:date": "2025-02-17T13:43+09:00",
"dcterms:issued": "2025-02-17T13:43+09:00",
"dcterms:modified": "2025-02-17T13:43+09:00",
"description": "The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eSQL injection in pdf.php (CWE-89) - CVE-2025-25221\u003c/li\u003e\r\n\u003cli\u003eSQL injection in retrieve.php (CWE-89) - CVE-2025-25222\u003c/li\u003e\r\n\u003cli\u003ePath traversal in dloader.php (CWE-22) - CVE-2025-25223\u003c/li\u003e\r\n\u003cli\u003eMissing authentication in dloader.php (CWE-306) - CVE-2025-25224\u003c/li\u003e\u003c/ul\u003e\r\n\r\nCVE-2025-25221, CVE-2025-25222\r\nRikuto Tauchi reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2025-25223, CVE-2025-25224\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000012.html",
"sec:cpe": {
"#text": "cpe:/a:luxsoft:luxcal_web_calendar",
"@product": "The LuxCal Web Calendar",
"@vendor": "LuxSoft",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000012",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN26024080/index.html",
"@id": "JVN#26024080",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25221",
"@id": "CVE-2025-25221",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25222",
"@id": "CVE-2025-25222",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25223",
"@id": "CVE-2025-25223",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25224",
"@id": "CVE-2025-25224",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in The LuxCal Web Calendar"
}
JVNDB-2023-000117
Vulnerability from jvndb - Published: 2023-11-20 17:15 - Updated:2023-11-20 17:15
Severity ?
Summary
Multiple vulnerabilities in LuxCal Web Calendar
Details
LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
- SQL injection (CWE-89) - CVE-2023-46700
- Cross-site scripting (CWE-79) - CVE-2023-47175
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000117.html",
"dc:date": "2023-11-20T17:15+09:00",
"dcterms:issued": "2023-11-20T17:15+09:00",
"dcterms:modified": "2023-11-20T17:15+09:00",
"description": "LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.\r\n\r\n\u003cul\u003e\u003cli\u003eSQL injection (CWE-89) - CVE-2023-46700\u003c/li\u003e\u003cli\u003eCross-site scripting (CWE-79) - CVE-2023-47175\u003c/li\u003e\u003c/ul\u003e\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000117.html",
"sec:cpe": {
"#text": "cpe:/a:luxsoft:luxcal_web_calendar",
"@product": "The LuxCal Web Calendar",
"@vendor": "LuxSoft",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000117",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN15005948/index.html",
"@id": "JVN#15005948",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46700",
"@id": "CVE-2023-46700",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-47175",
"@id": "CVE-2023-47175",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46700",
"@id": "CVE-2023-46700",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-47175",
"@id": "CVE-2023-47175",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "Multiple vulnerabilities in LuxCal Web Calendar"
}
JVNDB-2023-000083
Vulnerability from jvndb - Published: 2023-08-21 13:29 - Updated:2024-03-26 17:09
Severity ?
Summary
Multiple vulnerabilities in LuxCal Web Calendar
Details
LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
* Cross-site scripting (CWE-79) - CVE-2023-39543
* SQL injection (CWE-89) - CVE-2023-39939
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000083.html",
"dc:date": "2024-03-26T17:09+09:00",
"dcterms:issued": "2023-08-21T13:29+09:00",
"dcterms:modified": "2024-03-26T17:09+09:00",
"description": "LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.\r\n\r\n * Cross-site scripting (CWE-79) - CVE-2023-39543\r\n * SQL injection (CWE-89) - CVE-2023-39939\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000083.html",
"sec:cpe": {
"#text": "cpe:/a:luxsoft:luxcal_web_calendar",
"@product": "The LuxCal Web Calendar",
"@vendor": "LuxSoft",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.3",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000083",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN04876736/index.html",
"@id": "JVN#04876736",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-39543",
"@id": "CVE-2023-39543",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-39939",
"@id": "CVE-2023-39939",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-39543",
"@id": "CVE-2023-39543",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-39939",
"@id": "CVE-2023-39939",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "Multiple vulnerabilities in LuxCal Web Calendar"
}