CVE-2009-4929 - OpenCVE

admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sweetphp	Totalcalender

Configuration 1 [-]

cpe:2.3:a:sweetphp:totalcalender:2.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/34824
http://www.exploit-db.com/exploits/8496
http://www.securityfocus.com/bid/34619

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-07-09T17:00:00

Updated: 2024-08-07T07:24:53.269Z

Reserved: 2010-07-09T00:00:00

Link: CVE-2009-4929

Vulnrichment

No data.

NVD

Status : Modified

Published: 2010-07-12T13:27:16.143

Modified: 2017-09-19T01:30:07.343

Link: CVE-2009-4929

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-04-20T00:00:00", "descriptions": [{"lang": "en", "value": "admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "8496", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/8496"}, {"name": "34619", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34619"}, {"name": "34824", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34824"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-4929", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "8496", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/8496"}, {"name": "34619", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34619"}, {"name": "34824", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34824"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T07:24:53.269Z"}, "title": "CVE Program Container", "references": [{"name": "8496", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/8496"}, {"name": "34619", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/34619"}, {"name": "34824", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34824"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-4929", "datePublished": "2010-07-09T17:00:00", "dateReserved": "2010-07-09T00:00:00", "dateUpdated": "2024-08-07T07:24:53.269Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}