CVE-2006-6824

Name of the Vulnerable Software and Affected Versions: PHP iCalendar versions 2.23 rc1 and earlier PHP iCalendar version 2.24 (vectors b, c, and d)

Description: The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in various PHP files. The affected parameters include getdate in multiple files, cpath in several files, query in search.php, and possibly cpath, unset, and set parameters in a setcookie action in preferences.php.

Recommendations: For PHP iCalendar versions 2.23 rc1 and earlier, consider disabling the affected parameters, such as getdate and cpath, in the respective PHP files until a patch is available. For PHP iCalendar version 2.24, restrict access to vectors b, c, and d, which are affected by the issue, until a fix is provided. As a temporary workaround, avoid using the query parameter in search.php and the cpath, unset, and set parameters in preferences.php until the issue is resolved.