ID |
CVE-2006-1372
|
Summary |
Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm. |
References |
|
Vulnerable Configurations |
|
CVSS |
Base: | 5.0 (as of 20-07-2017 - 01:30) |
Impact: | |
Exploitability: | |
|
CWE |
NVD-CWE-Other |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
LOW |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
NONE |
PARTIAL |
NONE |
|
cvss-vector
via4
|
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
refmap
via4
|
|
statements
via4
|
contributor | Greg Benson | lastmodified | 2007-01-03 | organization | Benson Solutions | statement | WebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/ |
|
Last major update |
20-07-2017 - 01:30 |
Published |
24-03-2006 - 02:02 |
Last modified |
20-07-2017 - 01:30 |