Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Calendar)  >   iCal Vendors:   Apple
Apple iCal Calendar Import May Let Remote Users Add Unauthorized Alarm Actions
SecurityTracker Alert ID:  1012296
SecurityTracker URL:
CVE Reference:   CVE-2004-1021   (Links to External Site)
Date:  Nov 22 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.5.4
Description:   A vulnerability was reported in Apple's iCal calendar software. A remote user can create a calendar that, when imported, will add alarm actions without authorization.

The iCal calendar alarms can execute applications and send e-mail messages.

The vendor credits with reporting this flaw.

Impact:   A remote user (with authority to add an iCal calendar) can add alarms without approval.
Solution:   The vendor has issued a fixed version (1.5.4), available at from the Software Update pane in System Preferences, or via Apple's iCal web site:

The download file is named: "iCal154.dmg"
Its SHA-1 digest is: 0bcb7c569bd3410f001c922afc337019203c19de

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.2.3 and later

Message History:   None.

 Source Message Contents

Subject:  APPLE-SA-2004-11-22 iCal 1.5.4

Hash: SHA1

APPLE-SA-2004-11-22 iCal 1.5.4

iCal 1.5.4 is now available and delivers the following security

CVE-ID:  CAN-2004-1021

Availability:  iCal 1.5.4 is available for Mac OS X v10.2.3 or later

Impact:  New iCal calendars may add alarms without approval

Description:  iCal calendars may include notification of events via
alarms.  These alarms may open programs and send e-mail.  iCal has
been updated to show an alert window when importing or opening
calendars containing alarms.  Credit to for reporting
this issue.

iCal 1.5.4 may be obtained from the Software Update pane in System
Preferences, or Apple's iCal web site:

The download file is named: "iCal154.dmg"
Its SHA-1 digest is:  0bcb7c569bd3410f001c922afc337019203c19de

Information will also be posted to the Apple Product Security
web site:

This message is signed with Apple's Product Security PGP key,
and details are available at:

Version: PGP 8.1


Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (
Help/Unsubscribe/Update your Subscription:***

This email sent to ***


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, LLC