CVE-1999-1172
Date: 2001-09-12
By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared.
References:
Christey: The discloser does not provide enough details to fully understand what the problem is. This makes it difficult because if Maximizer has a concept of "users" and it is designed to allow any user to modify any other user's data, then this would not be a vulnerability or exposure, unless that "cross-user" capability could be used to violate system integrity, data confidentiality, or the like. There are some features of Maximizer 6.0 that, if abused, could allow someone to do some bad things. For example, an attacker could modify the email addresses for contacts to redirect sales to locations besides the customer. There's also a capability of assigning priorities and alarms, which could be susceptible to an "inconvenience attack" at the very least, as well as tie-ins to e-commerce capabilities. The critical question becomes: "how is this data shared" in the first place? If it's through a network share or other distribution method besides transferring the complete database between sites, then this may be accessible to any attacker who can mimic a Maximizer client (if there is such a thing as a client), and this could be a vulnerability or exposure according to the CVE definition. However, since the Maximizer functionality is unknown to me and not readily apparent from product documentation, it's hard to know what to do about this one
CHANGE: [Frech changed vote from REVIEWING to MODIFY
Frech: XF:maximizer-enterprise-calendar-modification(7590