ID CVE-2006-1372
Summary Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm.
References
Vulnerable Configurations
  • cpe:2.3:a:benson_it_solutions:1webcalendar:*:*:*:*:*:*:*:*
    cpe:2.3:a:benson_it_solutions:1webcalendar:*:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 20-07-2017 - 01:30)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
refmap via4
bid 17193
misc http://pridels0.blogspot.com/2006/03/1webcalendar-v-4x-vuln.html
osvdb
  • 24021
  • 24022
  • 24023
secunia 19329
vupen ADV-2006-1040
xf 1webcalendar-multiple-sql-injection(25373)
statements via4
contributor Greg Benson
lastmodified 2007-01-03
organization Benson Solutions
statement WebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/
Last major update 20-07-2017 - 01:30
Published 24-03-2006 - 02:02
Back to Top