Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter
Vulnerability Description
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events, disclosing sensitive event metadata including titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Joe Dolson My Calendar 授权问题漏洞
Vulnerability Description
joedolson My Calendar – Accessible Event Manager是joedolson的事件管理器插件。 Joe Dolson My Calendar 3.7.14及之前版本存在授权问题漏洞,该漏洞源于通过'vcal'参数缺少对用户控制密钥的验证,存在不安全的直接对象引用,可能导致未经身份验证的攻击者枚举事件ID并访问非公开、草稿、已删除和个人日历事件的完整iCalendar导出,泄露敏感事件元数据。
CVSS Information
N/A
Vulnerability Type
N/A