WebCalendar Multiple CSS and CSRF Vulnerabilities

Published: 2010-02-19 10:58:13
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Detection Type:
Remote Banner

Impact:
Successful exploitation could allow attackers to conduct cross-site scripting and request forgery attacks.

Affected Versions:
WebCalendar version 1.2.0 and prior.

Technical Details:
- Input passed to the 'tab' parameter in 'users.php' is not properly sanitised before being returned to the user. - Input appended to the URL after 'day.php', 'month.php', and 'week.php' is not properly sanitised before being returned to the user. - The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to delete an event, ban an IP address from posting, or change the administrative password if a logged-in administrative user visits a malicious web site.

Recommendations:
Upgrade to WebCalendar version 1.2.1 or later.

Summary:
The host is running WebCalendar and is prone to multiple CSS and CSRF Vulnerabilities.

Solution Type:
Vendor Patch

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2010-0636
https://nvd.nist.gov/vuln/detail/CVE-2010-0637
https://nvd.nist.gov/vuln/detail/CVE-2010-0638

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/38053

References:

http://secunia.com/advisories/38222
http://holisticinfosec.org/content/view/133/45/

Search
Severity
Medium
CVSS Score
6.8

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.