PT-2010-1732 · Totalcalendar · Totalcalendar

The G0Bl!N

Published

2010-07-09

Updated

2017-09-19

CVE-2009-4929

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions TotalCalendar version 2.4

Description The issue concerns a lack of administrative authentication in the admin/manage users.php file, allowing remote attackers to change arbitrary passwords using the newPW1 and newPW2 parameters.

Recommendations For TotalCalendar version 2.4, ensure that administrative authentication is properly implemented for the admin/manage users.php file to prevent unauthorized password changes. As a temporary workaround, consider restricting access to the admin/manage users.php file until a proper fix is applied.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2009-4929

Affected Products

Totalcalendar

PT-2010-1732 · Totalcalendar · Totalcalendar

CVE-2009-4929

Weakness Enumeration

Related Identifiers

Affected Products

References · 5