CVE-2009-4929

TotalCalendar 2.4 is affected. The vulnerability is in admin/manage_users.php which does not require administrative authentication, allowing remote attackers to change arbitrary passwords via the newPW1/newPW2 parameters. CVSSv2 base score is 7.5 (HIGH) with network attack vector, no authenticati...