[VIM] ltwCalendar = PHP Event Calendar, and vendor ACK
Steven M. Christey
coley at mitre.org
Fri Dec 1 19:18:12 EST 2006
See details below. Looks like many of us wound up with duplicates.
Note that the CONFIRM has a couple more security issues that haven't
been picked up by VDBs.
Acknowledged: yes changelog
Reference: BUGTRAQ:20060622 Calendar ( Provided by Codewalkers ) - SQL Injection
Reference: BUGTRAQ:20060627 Re: Calendar ( Provided by Codewalkers ) - SQL Injection
SQL injection vulnerability in calendar.php in Codewalkers ltwCalendar
(aka PHP Event Calendar) 4.2, 4.1.3, and earlier allows remote
attackers to execute arbitrary SQL commands via the id parameter.
ACCURACY: product's home page (http://ltwcalendar.sourceforge.net/)
refers to the product as "ltwCalendar - PHP Event Calendar" and it has
been called by both names on occasion. Multiple disclosures have used
ACKNOWLEDGEMENT: vendor changelog for 4.2.1 says "BUG FIX: Fixed a
known SQL injection vulnerability relating to the 'id' tag."
More information about the VIM