includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.01589
Percentile: 0.8083

CVSS Scoring

Affected Products

• cpe:2.3:a:webcalendar:webcalendar:1.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:webcalendar:webcalendar:1.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:webcalendar:webcalendar:1.0.2:*:*:*:*:*:*:*
• cpe:2.3:a:webcalendar:webcalendar:1.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:webcalendar:webcalendar:1.0.4:*:*:*:*:*:*:*

← Back to Home