WebCalendar allows remote malicious users to gain privileges by modifying critical parameters to (1) view_entry.php or (2) upcoming.php.