WebCalendar <= 1.2.4 (install/index.php) PHP Code Injection Vulnerability

Description:

WebCalendar contains an access restriction weakness when passing input to the install/index.php script. This allows an attacker to update includes/settings.php with arbitrary values, leading to execution of arbitrary PHP code.

References:

• CVE-2012-1495
• CVE-2012-5385
• BID-53207
• EDB-18775

Disclosure Date:

April 23, 2012