icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

WebCalendar users.php user_valid_crypt Parameter < 1.0.0 SQL Injection

High

Synopsis

The remote web server contains a script that is vulnerable to a SQL injection attack.

Description

The remote host is running WebCalendar, a web-based calendar management program. This version of WebCalendar is vulnerable to a SQL injection attack via the user_valid_crypt parameter of the users.php script. An attacker exploiting this flaw would be able to read/modify data or execute commands as the web server process.

Solution

Upgrade to version 1.0.0 or higher.