Webcalendar: >> Webcalendar >> 0.9.37 Security Vulnerabilities
WebCalendar before 1.0.0 does not properly restrict access to assistant_edit.php, which allows remote attackers to gain privileges.
CVSS Score
7.5
EPSS Score
0.007
Published
2005-07-19
Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar allow remote attackers to inject arbitrary web script via (1) view_entry.php, (2) view_d.php, (3) usersel.php, (4) datesel.php, (5) trailer.php, or (6) styles.php, as demonstrated using img srg tags.
CVSS Score
4.3
EPSS Score
0.004
Published
2004-12-31
CRLF injection vulnerability in login.php in WebCalendar allows remote attackers to inject CRLF sequences via the return_path parameter and perform HTTP Response Splitting attacks to modify expected HTML content from the server.
CVSS Score
5.0
EPSS Score
0.004
Published
2004-12-31
init.php in WebCalendar allows remote attackers to execute arbitrary local PHP scripts via the user_inc parameter.
CVSS Score
7.5
EPSS Score
0.009
Published
2004-12-31
validate.php in WebCalendar allows remote attackers to gain sensitive information via an invalid encoded_login parameter, which reveals the full path in an error message.
CVSS Score
5.0
EPSS Score
0.004
Published
2004-12-31
WebCalendar allows remote attackers to gain privileges by modifying critical parameters to (1) view_entry.php or (2) upcoming.php.
CVSS Score
7.5
EPSS Score
0.015
Published
2004-12-31