Description
admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by ThE g0bL!N · htmlwebappsphp
https://www.exploit-db.com/exploits/8496
References (3)
Core 3
Core References
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/8496
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/34619
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34824
Scores
EPSS
0.0154
EPSS Percentile
81.5%
Details
CWE
CWE-287
Status
published
Products (1)
sweetphp/totalcalender
2.4
Published
Jul 12, 2010
Tracked Since
Feb 18, 2026