Visual Events Calendar v1.1 (cfg_dir) Remote Inclusion Vulnerability

vendor:

Visual Events Calendar

by:

xoron

7,5

CVSS

HIGH

Remote Inclusion Vulnerability

CWE

Product Name: Visual Events Calendar

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Visual Events Calendar v1.1 (cfg_dir) Remote Inclusion Vulnerability

Visual Events Calendar v1.1 is vulnerable to a remote inclusion vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request contains a URL in the cfg_dir parameter, which points to a malicious script hosted on a remote server. This script is then included and executed on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to ensure that user input is properly sanitized and validated before being used in any include statement.

Source

Visual Events Calendar v1.1 (cfg_dir) Remote Inclusion Vulnerability

Mitigation:

Exploit-DB raw data: