CVE-2007-1343 | Vulnerability Database | Aqua Security

includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.

Affected Software

Name	Vendor	Start Version	End Version
Webcalendar	Webcalendar	1.0.0 (including)	1.0.0 (including)
Webcalendar	Webcalendar	1.0.1 (including)	1.0.1 (including)
Webcalendar	Webcalendar	1.0.2 (including)	1.0.2 (including)
Webcalendar	Webcalendar	1.0.3 (including)	1.0.3 (including)
Webcalendar	Webcalendar	1.0.4 (including)	1.0.4 (including)
Webcalendar	Ubuntu	dapper	*
Webcalendar	Ubuntu	devel	*
Webcalendar	Ubuntu	edgy	*
Webcalendar	Ubuntu	gutsy	*
Webcalendar	Ubuntu	hardy	*
Webcalendar	Ubuntu	intrepid	*
Webcalendar	Ubuntu	jaunty	*
Webcalendar	Ubuntu	karmic	*

References

http://secunia.com/advisories/24403
http://secunia.com/advisories/24519
http://sourceforge.net/mailarchive/forum.php?thread_id=31840112\u0026forum_id=46247
http://sourceforge.net/project/shownotes.php?group_id=3870\u0026release_id=491130
http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7\u0026r2=1.211.2.8
http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log
http://www.debian.org/security/2007/dsa-1267
http://www.securityfocus.com/bid/22834
http://www.vupen.com/english/advisories/2007/0851
https://exchange.xforce.ibmcloud.com/vulnerabilities/32832

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-1343
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html