CVE-2009-4929

Sweetphp Totalcalender - Authentication Bypass

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4929. PoCs published by ThE g0bL!N.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass vulnerability in TotalCalendar 2.4, allowing an attacker to change the admin password without prior authentication. The PoC provides a pre-filled form that submits a password change request directly to the vulnerable endpoint.

Description

admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by ThE g0bL!N · htmlwebappsphp

https://www.exploit-db.com/exploits/8496

View Code ZIP pw:eip

This exploit demonstrates an authentication bypass vulnerability in TotalCalendar 2.4, allowing an attacker to change the admin password without prior authentication. The PoC provides a pre-filled form that submits a password change request directly to the vulnerable endpoint.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TotalCalendar 2.4

No auth needed

Prerequisites: Access to the target's admin interface

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/8496

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/34619

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34824

Scores

EPSS 0.0245

EPSS Percentile 82.3%

Details

CWE

CWE-287

Status published

Products (1)

sweetphp/totalcalender 2.4

Published Jul 12, 2010

Tracked Since Feb 18, 2026