There is an XSS issue in the page; if you write a script into the comment for an event, then hovering the person's name causes the script to be run. This is most probably a stored XSS, as the comment is shown to all users. The problem does not appear on t

Make a comment to an event, something like

</p><script>alert("Vie kursorisi muualle!")</script><p>

And save the comment. Then hover over to your own user tab (of the event, which shows that you have a comment). The script is run.

1 reply


tämä on nyt korjattu. Kiitoksia ilmoituksesta.