This morning, I was alerted to suspicious activity in server logs referring to the My Calendar print view by a concerned user. Checking the data, it was clear that there was a significant security issue in My Calendar which was being used to generate links out to remote sites by abusing the referrer URL (Uniform Resource Locator) in the My Calendar print view. This security issue was fixed in version 3.3.17, released this morning.

The issue would not impact any user navigating to the print view from your own site calendar, but could be used by an external site to generate a dynamic view on your site with a link of their choice. The primary use case for this abuse would probably be SEO manipulation by generating fake backlinks, though it is possible it could be used to send users from an external site through your site to a malicious URL.

Please update to version 3.3.17 as soon as possible! Thanks to Dan Kegel for the responsible and prompt disclosure.