CVE-2007-0681

CRITICAL

ExtCalendar <2 - Auth Bypass

Title source: llm

Description

profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ajann · htmlwebappsphp

https://www.exploit-db.com/exploits/3239

View Code ZIP pw:eip

References (3)

[Broken Link] http://osvdb.org/38130

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/32035

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/3239

Scores

CVSS v3 9.8

EPSS 0.0747

EPSS Percentile 91.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status draft

Affected Products (1)

extcalendar_project/extcalendar < 2

Timeline

Published Feb 03, 2007

Tracked Since Feb 18, 2026