Vulnerability Details : CVE-2006-1372
Potential exploit
Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm.
Vulnerability category: Sql Injection
Products affected by CVE-2006-1372
- cpe:2.3:a:benson_it_solutions:1webcalendar:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-1372
0.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-1372
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
Vendor statements for CVE-2006-1372
-
Benson Solutions 2007-01-03WebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/
References for CVE-2006-1372
-
http://www.osvdb.org/24021
-
http://www.vupen.com/english/advisories/2006/1040
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/25373
-
http://secunia.com/advisories/19329
Exploit
-
http://www.securityfocus.com/bid/17193
-
http://pridels0.blogspot.com/2006/03/1webcalendar-v-4x-vuln.html
-
http://www.osvdb.org/24022
-
http://www.osvdb.org/24023
Jump to