admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.
CPE | Name | Operator | Version |
---|---|---|---|
phpicalendar | eq | 2.22 | |
phpicalendar | eq | 2.21 | |
phpicalendar | eq | 2.23 rc1 | |
phpicalendar | eq | 2.2 | |
phpicalendar | eq | 0.9 | |
phpicalendar | eq | 2.0.1 | |
phpicalendar | eq | 2.23 | |
phpicalendar | eq | 1.1 | |
phpicalendar | eq | 0.8 | |
phpicalendar | eq | 2.24 |