PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/164777/PHP-Event-Calendar-Lite-Edition-SQL-Injection.html | Exploit Third Party Advisory VDB Entry |
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-11-08T04:01:18
Updated: 2021-11-08T04:01:18
Reserved: 2021-10-07T00:00:00
Link: CVE-2021-42077
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-11-08T04:15:08.683
Modified: 2021-11-09T19:28:05.903
Link: CVE-2021-42077
JSON object: View
Redhat Information
No data.
CWE