Webcalendar: >> Webcalendar >> 1.0.3 Security Vulnerabilities
includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.
CVSS Score
7.5
EPSS Score
0.016
Published
2007-03-08
PHP remote file inclusion vulnerability in includes/config.php in WebCalendar 1.0.3 allows remote attackers to execute arbitrary PHP code via a URL in the includedir parameter, which is remotely accessed in an fopen call whose results are used to define a user_inc setting that is used in an include_once call.
CVSS Score
6.4
EPSS Score
0.01
Published
2006-06-02
WebCalendar 1.0.1 to 1.0.3 generates different error messages depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames.
CVSS Score
5.0
EPSS Score
0.006
Published
2006-05-09