Vulnerabilities > CVE-2006-1372 - SQL Injection vulnerability in 1WebCalendar
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description 1WebCalendar 4.0 mainCal.cfm SQL Injection. CVE-2006-1372. Webapps exploit for cfm platform id EDB-ID:27457 last seen 2016-02-03 modified 2006-03-22 published 2006-03-22 reporter r0t3d3Vil source https://www.exploit-db.com/download/27457/ title 1WebCalendar 4.0 mainCal.cfm SQL Injection description 1WebCalendar 4.0 /news/newsView.cfm NewsID Parameter SQL Injection. CVE-2006-1372. Webapps exploit for cfm platform id EDB-ID:27456 last seen 2016-02-03 modified 2006-03-22 published 2006-03-22 reporter r0t3d3Vil source https://www.exploit-db.com/download/27456/ title 1WebCalendar 4.0 /news/newsView.cfm NewsID Parameter SQL Injection description 1WebCalendar 4.0 viewEvent.cfm EventID Parameter SQL Injection. CVE-2006-1372. Webapps exploit for cfm platform id EDB-ID:27455 last seen 2016-02-03 modified 2006-03-22 published 2006-03-22 reporter r0t3d3Vil source https://www.exploit-db.com/download/27455/ title 1WebCalendar 4.0 - viewEvent.cfm EventID Parameter SQL Injection
Statements
| contributor | Greg Benson |
| lastmodified | 2007-01-03 |
| organization | Benson Solutions |
| statement | WebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/ |
References
- http://pridels0.blogspot.com/2006/03/1webcalendar-v-4x-vuln.html
- http://secunia.com/advisories/19329
- http://www.osvdb.org/24021
- http://www.osvdb.org/24022
- http://www.osvdb.org/24023
- http://www.securityfocus.com/bid/17193
- http://www.vupen.com/english/advisories/2006/1040
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25373