CVE-2012-1495

CRITICAL

Webcalendar < 1.2.5 - Injection

Title source: rule

Description

install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappslinux
https://www.exploit-db.com/exploits/18797
exploitdb WORKING POC VERIFIED
by EgiX · phpwebappsphp
https://www.exploit-db.com/exploits/18775
nomisec WRITEUP
by axelbankole · poc
https://github.com/axelbankole/CVE-2012-1495-Webcalendar-
metasploit WORKING POC EXCELLENT
by EgiX, sinn3r · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webcalendar_settings_exec.rb

References (4)

Scores

CVSS v3 9.8
EPSS 0.8872
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (1)
webcalendar_project/webcalendar < 1.2.5
Published Jan 27, 2020
Tracked Since Feb 18, 2026