CVE-2009-4929

Sweetphp Totalcalender - Authentication Bypass

Title source: rule

Description

admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ThE g0bL!N · htmlwebappsphp

https://www.exploit-db.com/exploits/8496

View Code ZIP pw:eip

References (3)

[Vendor Advisory] http://secunia.com/advisories/34824

[Exploit] http://www.securityfocus.com/bid/34619

[Exploit, Third Party Advisory] http://www.exploit-db.com/exploits/8496

Scores

EPSS 0.0154

EPSS Percentile 81.2%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

sweetphp/totalcalender

Timeline

Published Jul 12, 2010

Tracked Since Feb 18, 2026