Vulnerability Description
Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php-Calendar | Php-Calendar | 1.1 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/archive/1/508548/100/0/threaded
- http://www.securityfocus.com/archive/1/508548/100/0/threaded
FAQ
What is CVE-2009-3702?
CVE-2009-3702 is a vulnerability with a CVSS score of 7.5 (HIGH). Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08...
How severe is CVE-2009-3702?
CVE-2009-3702 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3702?
Check the references section above for vendor advisories and patch information. Affected products include: Php-Calendar Php-Calendar.