CVE-2007-0681
published 2007-02-03CVE-2007-0681: profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.04%
91.2th percentile
profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| extcalendar_project | extcalendar | <= 2 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Unverified Password Change
mitre_cwe·CVSS 9.8
[CRITICAL] CWE-620 Unverified Password Change
CWE-620: Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism, Gain Privileges or Assume Identity.
Potential Mitigations:
[Architecture and Design] When prompting for a password change, force the user to provide the original password in addition to the new password.
[Architecture and Desig
CWE
Insufficiently Protected Credentials
mitre_cwe
CWE-522 Insufficiently Protected Credentials
CWE-522: Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Modes of Introduction:
Phase: Architecture and Design
Note: COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Phase: Implementation
Common Consequences:
Scope: Access Control. Impact: Gain Privileges or Assume Identity. An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/com
2007-02-03
Published