The upstream releases notes for version 1.2.7  indicate that if fixes several security-relevant bugs:
Version 1.2.7 (22 Jan 2013)
- Security fix: Do not show the reason for a failed login (i.e. "no such user")
- Security fix: Escape HTML characters in category name.
- Security fix: Check all passed in fields (either via HTML form or via
URL parameter) for certain malicious tags (script, embed, etc.) and
generate fatal error if found.
Current versions of Fedora are shipping a vulnerable version and should be updated.
Created WebCalendar tracking bugs for this issue:
Affects: fedora-all [bug 987152]
WebCalendar-1.2.7-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
WebCalendar-1.2.7-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.