CVE-2008-5967

PHP iCalendar <2.3.4-2.24 - Info Disclosure

Title source: llm

Description

admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.

Exploits (1)

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/6519

View Code ZIP pw:eip

References (3)

[Vendor Advisory] http://secunia.com/advisories/31944

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/48323

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/6519

Scores

EPSS 0.0479

EPSS Percentile 89.5%

Details

CWE

CWE-287

Status published

Products (16)

phpicalendar/phpicalendar 0.7

phpicalendar/phpicalendar 0.8

phpicalendar/phpicalendar 0.9

phpicalendar/phpicalendar 0.9.5

phpicalendar/phpicalendar 1.0

phpicalendar/phpicalendar 1.1

phpicalendar/phpicalendar 2.0 beta

phpicalendar/phpicalendar 2.0.1

phpicalendar/phpicalendar 2.0c

phpicalendar/phpicalendar 2.1

... and 6 more

Published Jan 26, 2009

Tracked Since Feb 18, 2026