[原文]popup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to obtain sensitive information via an invalid ev parameter, which reveals the full pathname of the web server in a PHP error message.
EasyPHPCalendar popup.php ev Variable Path Disclosure
Remote / Network Access
Loss of Confidentiality
EasyPHPCalendar contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker provides malformed input to the 'ev' variable in the popup.php script, which will disclose the installation path resulting in a loss of confidentiality.
Upgrade to version 6.2.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.