CVE-2009-4929

Name of the Vulnerable Software and Affected Versions TotalCalendar version 2.4

Description The issue concerns a lack of administrative authentication in the admin/manage users.php file, allowing remote attackers to change arbitrary passwords using the newPW1 and newPW2 parameters.

Recommendations For TotalCalendar version 2.4, ensure that administrative authentication is properly implemented for the admin/manage users.php file to prevent unauthorized password changes. As a temporary workaround, consider restricting access to the admin/manage users.php file until a proper fix is applied.