Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in TeamCal Neo

Posted date 31/01/2025
Identificador
INCIBE-2025-0051
Importance
5 - Critical
Affected Resources
  • TeamCal Neo: 3.8.2 version.
Description

INCIBE has coordinated the publication of 2 vulnerabilities: one critical and one of medium severity, affecting Lewe's TeamCal Neo, an online calendar by days to manage events and absences of work teams, which have been discovered by Ignacio Garcia Mestre (Br4v3n).

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability.

  • CVE-2025-0929: CVSS v3.1: 9.8 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89
  • CVE-2025-0930: CVSS v3.1: 6.1 | CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
Solution

There is no reported solution at this time.

Detail
  • CVE-2025-0929: SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
  • CVE-2025-0930: Reflected Cross-Site Scripting (XSS) in TeamCal Neo, version 3.8.2. This allows an attacker to execute malicious JavaScript code, after injecting code via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
References list
Product sheet - TeamCal Neo
Etiquetas