CVE-2006-1372

Name of the Vulnerable Software and Affected Versions 1WebCalendar versions 4.0 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the EventID parameter in "viewEvent.cfm", the NewsID parameter in "newsView.cfm", or the ThisDate parameter in "mainCal.cfm".

Recommendations For versions 4.0 and earlier, as a temporary workaround, consider restricting access to the vulnerable parameters EventID, NewsID, and ThisDate in their respective API endpoints until a patch is available. Avoid using these parameters in the affected API endpoints "viewEvent.cfm", "newsView.cfm", and "mainCal.cfm" until the issue is resolved.