admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Totalcalender | Sweetphp | 2.4 (including) | 2.4 (including) |