Name of the Vulnerable Software and Affected Versions:

ExtCalendar versions 2 and earlier

Description:

The issue allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to "register.php".

Recommendations:

For ExtCalendar versions 2 and earlier, consider disabling the password change functionality in "profile.php" until a patch is available. Restrict access to "register.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.