Vulnerability CVE-2021-42077


Published: 2021-11-08

Description:
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
PHP Event Calendar Lite Edition SQL Injection
Erik Steltzner
25.11.2021

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Kaysongroup -> Php event calendar 

 References:
http://packetstormsecurity.com/files/164777/PHP-Event-Calendar-Lite-Edition-SQL-Injection.html
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt

Copyright 2024, cxsecurity.com

 

Back to Top