PHP iCalendar < 2.25 Administrative Bypass

high Nessus Network Monitor Plugin ID 4690

Synopsis

The remote host is vulnerable to a flaw that allows for the bypassing of authentication.

Description

The remote host is running PHP iCalendar, an open-source PHP blog. This version of iCalendar is vulnerable to a flaw where a remote user can, by manually changing their cookie, gain administrative access to the application.

Solution

When available, upgrade to version 2.25 or higher.

See Also

http://www.phpicalendar.net

Plugin Details

Severity: High

ID: 4690

Family: CGI

Published: 9/23/2008

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:php_icalendar:php_icalendar

Reference Information

CVE: CVE-2006-1291, CVE-2006-1292, CVE-2008-5840

BID: 17125, 17129, 31320