[原文]Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php.
Light Weight Calendar index.php date Variable Arbitrary PHP Code Execution
Remote / Network Access
Loss of Integrity
Light Weight Calendar contains a flaw that allows arbitrary execution of PHP code. This flaw exists because the application does not validate the 'date' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary PHP code on the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.