CVE-2008-5840
phpicalendar <= 2.24 - Unauthenticated Authentication Bypass via Cookie Manipulation
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2008-5840. PoCs published by Stack.
AI-analyzed exploit summary This exploit demonstrates an insecure cookie handling vulnerability in PHP iCalendar <= 2.24, allowing an attacker to bypass authentication by setting specific cookie values via JavaScript.
Description
PHP iCalendar 2.24 and earlier allows remote attackers to bypass authentication by setting the phpicalendar and phpicalendar_login cookies to 1.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Stack · textwebappsphp
https://www.exploit-db.com/exploits/6526
This exploit demonstrates an insecure cookie handling vulnerability in PHP iCalendar <= 2.24, allowing an attacker to bypass authentication by setting specific cookie values via JavaScript.
Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target:
PHP iCalendar <= 2.24
No auth needed
Prerequisites:
Victim must execute the provided JavaScript code
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (4)
Core 4
Core References
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/6526
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/4865
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/45338
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/31320
Scores
EPSS
0.0302
EPSS Percentile
85.7%
Details
CWE
CWE-264
Status
published
Products (16)
phpicalendar/phpicalendar
0.7
phpicalendar/phpicalendar
0.8
phpicalendar/phpicalendar
0.9
phpicalendar/phpicalendar
0.9.5
phpicalendar/phpicalendar
1.0
phpicalendar/phpicalendar
1.1
phpicalendar/phpicalendar
2.0 beta
phpicalendar/phpicalendar
2.0.1
phpicalendar/phpicalendar
2.0c
phpicalendar/phpicalendar
2.1
... and 6 more
Published
Jan 05, 2009
Tracked Since
Feb 18, 2026