install/index.php in Craig Knudsen WebCalendar before 1.2.5 allows remote attackers to modify settings.php and possibly execute arbitrary code via vectors related to the user theme preference.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Webcalendar | Webcalendar_project | 1.0-rc1 (including) | 1.0-rc1 (including) |
| Webcalendar | Webcalendar_project | 1.0-rc2 (including) | 1.0-rc2 (including) |
| Webcalendar | Webcalendar_project | 1.0-rc3 (including) | 1.0-rc3 (including) |
| Webcalendar | Webcalendar_project | 1.1.1 (including) | 1.1.1 (including) |
| Webcalendar | Webcalendar_project | 1.1.2 (including) | 1.1.2 (including) |
| Webcalendar | Webcalendar_project | 1.1.3 (including) | 1.1.3 (including) |
| Webcalendar | Webcalendar_project | 1.1.4 (including) | 1.1.4 (including) |
| Webcalendar | Webcalendar_project | 1.1.5 (including) | 1.1.5 (including) |
| Webcalendar | Webcalendar_project | 1.1.6 (including) | 1.1.6 (including) |
| Webcalendar | Webcalendar_project | 1.2-b1 (including) | 1.2-b1 (including) |
| Webcalendar | Webcalendar_project | 1.2.0 (including) | 1.2.0 (including) |
| Webcalendar | Webcalendar_project | 1.2.1 (including) | 1.2.1 (including) |
| Webcalendar | Webcalendar_project | 1.2.2 (including) | 1.2.2 (including) |
| Webcalendar | Webcalendar_project | 1.2.3 (including) | 1.2.3 (including) |
| Webcalendar | Webcalendar_project | 1.2.4 (including) | 1.2.4 (including) |