icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

WebCalendar < 1.0.2 Multiple Vulnerabilities

High

Synopsis

The remote web server has a PHP application that is affected by multiple vulnerabilities.

Description

The remote web server has a PHP application that is affected by multiple vulnerabilities. The remote version of WebCalendar does not validate input to the 'id' and 'format' parameters of the 'export_handler.php' script before using it to overwrite files on the remote host, subject to the privileges of the web server user ID. In addition, the 'activity_log.php', 'admin_handler.php', 'edit_report_handler.php', 'edit_template.php' and 'export_handler.php' scripts are prone to SQL injection attacks and the 'layers_toggle.php' script is prone to HTTP response splitting attacks.

Solution

Upgrade to version 1.0.2 or higher.