MidnightBSD

Advisories for php-calendar

CVE-2004-1423 HIGH

Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP-Calendar before 0.10.1, as used in Commonwealth of Massachusetts Virtual Law Office (VLO) and other products, allow remote attackers to execute arbitrary PHP code via a URL in the phpc_root_path parameter to (1) includes/calendar.php or (2) includes/setup.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
php-calendar php-calendar 0.2
php-calendar php-calendar 0.9
php-calendar php-calendar 0.9.1
php-calendar php-calendar 0.5
php-calendar php-calendar 0.7
php-calendar php-calendar 0.6
php-calendar php-calendar 0.3
php-calendar php-calendar 0.1
php-calendar php-calendar 0.8
php-calendar php-calendar 0.4
php-calendar php-calendar *
CVE-2005-1397 HIGH

SQL injection vulnerability in search.php for PHP-Calendar before 0.10.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php-calendar php-calendar 0.2
php-calendar php-calendar 0.9
php-calendar php-calendar 0.9.1
php-calendar php-calendar 0.5
php-calendar php-calendar 0.7
php-calendar php-calendar 0.6
php-calendar php-calendar 0.3
php-calendar php-calendar 0.1
php-calendar php-calendar 0.8
php-calendar php-calendar 0.10
php-calendar php-calendar 0.4
CVE-2010-2041 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in index.php in PHP-Calendar before 2.0 Beta7 allow remote attackers to inject arbitrary web script or HTML via the (1) description and (2) lastaction parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php-calendar php-calendar 0.2
php-calendar php-calendar 0.9
php-calendar php-calendar 0.7
php-calendar php-calendar 0.3
php-calendar php-calendar 0.10
php-calendar php-calendar *
php-calendar php-calendar 0.9.1
php-calendar php-calendar 1.1
php-calendar php-calendar 0.5
php-calendar php-calendar 0.6
php-calendar php-calendar 2.0
php-calendar php-calendar 0.1
php-calendar php-calendar 0.8
php-calendar php-calendar 0.4
CVE-2017-6485 MEDIUM

A Cross-Site Scripting (XSS) issue was discovered in php-calendar before 2017-03-03. The vulnerability exists due to insufficient filtration of user-supplied data (errorMsg) passed to the "php-calendar-master/error.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php-calendar php-calendar *
CVE-2022-4455 MEDIUM

A vulnerability was identified in sproctor php-calendar up to 2.0.13. This impacts an unknown function of the file index.php. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be launched remotely. The name of the patch is a2941109b42201c19733127ced763e270a357809. It is advisable to implement a patch to correct this issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-94,CWE-79,

Products Affected

Vendor Product Version
php-calendar php-calendar *