PHP iCalendar < 2.25 Administrative Bypass

High Nessus Network Monitor Plugin ID 4690

Synopsis

The remote host is vulnerable to a flaw that allows for the bypassing of authentication.

Description

The remote host is running PHP iCalendar, an open-source PHP blog. This version of iCalendar is vulnerable to a flaw where a remote user can, by manually changing their cookie, gain administrative access to the application.

Solution

When available, upgrade to version 2.25 or higher.

See Also

http://www.phpicalendar.net

Plugin Details

Severity: High

ID: 4690

Family: CGI

Published: 2008/09/23

Modified: 2016/01/21

Dependencies: 1442

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSSv3

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:php_icalendar:php_icalendar

Reference Information

CVE: CVE-2008-5840, CVE-2006-1291, CVE-2006-1292

BID: 31320, 17125, 17129