Vulnerability Details : CVE-2012-1495
Public exploit exists!
install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.
Vulnerability category: Execute code
Products affected by CVE-2012-1495
- cpe:2.3:a:webcalendar_project:webcalendar:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-1495
97.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2012-1495
-
WebCalendar 1.2.4 Pre-Auth Remote Code Injection
Disclosure Date: 2012-04-23First seen: 2020-04-26exploit/linux/http/webcalendar_settings_execThis module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data.
CVSS scores for CVE-2012-1495
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2012-1495
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-1495
-
https://www.exploit-db.com/exploits/18775
WebCalendar 1.2.4 - Remote Code Execution - PHP webapps ExploitExploit;Third Party Advisory;VDB Entry
-
http://sourceforge.net/projects/webcalendar/files/webcalendar%201.2/1.2.5/
WebCalendar - Browse /webcalendar 1.2/1.2.5 at SourceForge.netRelease Notes;Third Party Advisory
-
https://packetstormsecurity.com/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html
WebCalendar 1.2.4 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://packetstormsecurity.com/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html
WebCalendar 1.2.4 Pre-Auth Remote Code Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Jump to