CVE-2012-1978

Name of the Vulnerable Software and Affected Versions Simple PHP Agenda versions 2.2.8 and earlier

Description The issue allows remote attackers to hijack the authentication of administrators for various requests. This can be achieved through requests to several API endpoints, including "auth/process.php" to add an administrator, "auth/admin/adminprocess.php" to delete an administrator, "engine/new event.php" to add an event, or "phpagenda/" to delete an event.

Recommendations For Simple PHP Agenda versions 2.2.8 and earlier, consider implementing proper CSRF protection mechanisms, such as tokens, to prevent unauthorized requests. As a temporary workaround, restrict access to the "auth/process.php", "auth/admin/adminprocess.php", "engine/new event.php", and "phpagenda/" endpoints to minimize the risk of exploitation. Avoid performing sensitive actions, such as adding or deleting administrators and events, from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.