After returning from work, I went round the Internet as not to lose the habit :-) and between page and page, I found a page that has a vulnerability very common to find: the default settings.
The point is that, by chance, I ran into a user interface to access a calendar, created an application called WebCalendar.
Out of curiosity, place an "x" in each field to see the result. A mistake, but without more data. Immediately after, and almost by inertia, put "admin" in each field y. .. guess what?
But that's not all, as expected, coming in with the administration account, you have access to the whole configuration of the application and, most interesting, is that we can gather information from users who are part of the timetable and to a history of events created.
Unfortunately the default settings correspond to a recurring issue that is directly related to lack of training and awareness regarding security issues.
Many attack tools assume that the objectives are with the default settings, as we see in this case. There are also many sites that have a database with usernames and passwords default devices and applications.