CVE-2008-2836

Current Description

PHP remote file inclusion vulnerability in send_reminders.php in WebCalendar 1.0.4 allows remote attackers to execute arbitrary PHP code via a URL in the includedir parameter and a 0 value for the noSet parameter, a different vector than CVE-2007-1483.

Basic Data

PublishedJune 24, 2008
Last ModifiedSeptember 29, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-94
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score7.5
SeverityHIGH
Exploitability Score10.0
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegetrue

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationK5nWebcalendar1.0.4*******

Vulnerable Software List

VendorProductVersions
K5n Webcalendar 1.0.4

References

NameSourceURLTags
[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)http://sourceforge.net/mailarchive/forum.php?thread_name=45EAF486.9080902%40k5n.us&forum_name=webcalMLIST
29783http://www.securityfocus.com/bid/29783BIDExploit
1020357http://www.securitytracker.com/id?1020357SECTRACK
webcalendar-send-reminders-file-include(43156)https://exchange.xforce.ibmcloud.com/vulnerabilities/43156XF
5847https://www.exploit-db.com/exploits/5847EXPLOIT-DB