Detections
Analytics

WebCalendar Login Error Message User Account Enumeration

medium Nessus Plugin ID 21566

Language:

Synopsis

The remote web server is affected by an information disclosure issue.

Description

The version of WebCalendar on the remote host is prone to a user account enumeration weakness in that in response to login attempts it returns different error messages depending on whether the user exists or the password is invalid.

Solution

Upgrade to WebCalendar 1.0.4 or later.

See Also

https://www.securityfocus.com/archive/1/433053/30/0/threaded

https://www.securityfocus.com/archive/1/436263/30/0/threaded

http://www.nessus.org/u?2fe61fc9

Plugin Details

Severity: Medium

ID: 21566

File Name: webcalendar_info_disclosure.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 5/16/2006

Updated: 6/1/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Required KB Items: www/webcalendar

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 5/4/2006

Reference Information

CVE: CVE-2006-2247

BID: 17853