CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 1CVE-2008-5967 – PHP iCalendar 2.24 - 'cookie_language' Local File Inclusion / Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-5967
admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root. El acceso a admin/index.php en PHP icalendar 2.3.4, 2.24 y anteriores no requiere autenticación de administración apara las acciones addupdate, lo que permite a atacantes remotos subir un calendario (un fichero .ics) con contenidos arbitrarios al directorio calendars/ fuera de la raíz del árbol de directorios de la interfaz web. • https://www.exploit-db.com/exploits/6519 http://secunia.com/advisories/31944 https://exchange.xforce.ibmcloud.com/vulnerabilities/48323 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 16EXPL: 1CVE-2008-5968 – PHP iCalendar 2.24 - 'cookie_language' Local File Inclusion / Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2008-5968
Directory traversal vulnerability in print.php in PHP iCalendar 2.24 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cookie_language parameter in a phpicalendar_* cookie, a different vector than CVE-2006-1292. Una vulnerabilidad de salto de directorio en print.php en versiones de PHP icalendar 2.24 y anteriores permite a atacantes remotos incluir y ejecutar archivos locales arbitrarios a través de un .. (punto punto) en el parámetro cookie_language en una cookie phpicalendar_*. Se trata de un vector diferente al de CVE-2006-1292. • https://www.exploit-db.com/exploits/6519 https://exchange.xforce.ibmcloud.com/vulnerabilities/48322 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 1%CPEs: 17EXPL: 2CVE-2008-5840 – PHP iCalendar 2.24 - Insecure Cookie Handling
https://notcve.org/view.php?id=CVE-2008-5840
PHP iCalendar 2.24 and earlier allows remote attackers to bypass authentication by setting the phpicalendar and phpicalendar_login cookies to 1. PHP iCalendar v2.24 y anteriores permite a atacantes remotos evitar la autenticación estableciendo las cookies phpicalendar y phpicalendar_login a 1. • https://www.exploit-db.com/exploits/6526 http://securityreason.com/securityalert/4865 http://www.securityfocus.com/bid/31320 https://exchange.xforce.ibmcloud.com/vulnerabilities/45338 • CWE-264: Permissions, Privileges, and Access Controls •