CVE-2009-3702

Name of the Vulnerable Software and Affected Versions PHP-Calendar version 1.1

Description The issue allows remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to API endpoints such as "update08.php" or "update10.php". In some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.

Recommendations For PHP-Calendar version 1.1, consider restricting access to the update08.php and update10.php API endpoints to minimize the risk of exploitation. Avoid using the configfile parameter in these endpoints until the issue is resolved.