PatchSiren cyber security CVE debrief
CVE-2017-6485 PHP Calendar CVE debrief
CVE-2017-6485 is a cross-site scripting (XSS) vulnerability in php-calendar. The issue comes from insufficient filtering of user-supplied data in the errorMsg parameter passed to php-calendar-master/error.php, allowing an attacker to inject HTML or script content into a victim’s browser in the context of the vulnerable site. NVD classifies the weakness as CWE-79 and rates the issue CVSS 3.0 6.1 (Medium). Because exploitation requires a user to visit a crafted URL or otherwise process attacker-controlled input, this is primarily a web application integrity and session-risk issue rather than an availability problem.
- Vendor
- PHP Calendar
- Product
- CVE-2017-6485
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-05
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-05
- Advisory updated
- 2026-05-13
Who should care
Administrators and maintainers of php-calendar deployments, application security teams, and anyone embedding php-calendar in a publicly reachable website should review this issue. It is especially relevant where error.php can be reached from untrusted input or where users may be lured into opening attacker-crafted links.
Technical summary
The NVD record describes an XSS flaw in php-calendar caused by insufficient output filtering of the errorMsg parameter in php-calendar-master/error.php. The attack surface is web-based and network reachable, with user interaction required. NVD maps the weakness to CWE-79 and provides a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that a successful attack can affect browser-context confidentiality and integrity but not availability. NVD’s CPE criteria mark php-calendar as vulnerable through version 2015-12-04.
Defensive priority
Medium. This is not marked as a KEV item in the provided corpus, but it remains important because browser-based XSS can expose user sessions, alter page content, and mislead users on otherwise trusted sites.
Recommended defensive actions
- Review whether php-calendar is still deployed and identify all exposed instances.
- Apply the vendor-supplied fix or replace the affected component if no maintained patch path exists.
- Ensure error.php and any related error-message handling perform output encoding appropriate to the HTML context.
- Block or strictly validate user-controlled values such as errorMsg before they reach browser output.
- Add regression tests or security checks for reflected XSS on error-handling pages.
- Monitor logs and application telemetry for suspicious requests targeting error.php or unusual errorMsg payloads.
Evidence notes
The source corpus states that the vulnerability is a Cross-Site Scripting issue in php-calendar before 2017-03-03, with the flaw caused by insufficient filtration of user-supplied errorMsg data passed to php-calendar-master/error.php. NVD’s modified CVE record lists CWE-79 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and its CPE criteria mark cpe:2.3:a:php-calendar:php-calendar:*:*:*:*:*:*:*:* as vulnerable through versionEndIncluding 2015-12-04. The provided vendor/reference link points to GitHub issue #4 as the advisory reference.
Official resources
-
CVE-2017-6485 CVE record
CVE.org
-
CVE-2017-6485 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
The CVE was published by NVD on 2017-03-05 and later modified on 2026-05-13 in the provided record snapshot. The referenced vendor advisory material in the corpus is GitHub issue #4 for php-calendar.