CVEbuzz logo
This website displays data collected from external sources, and is not responsible for any aspect of it. Read more...

Security / vulnerability advisories for Kayson Group PHP Event Calendar Lite Edition

Titles listed in dictionary

CPE for product: cpe:2.3:a:kaysongroup:php_event_calendar:-:*:*:*:lite:*:*:*

Showing 1-1 of 1
Maximal damage 9.8
Very easy to exploit
(other affected products) Published: Mon Nov 8 04:15:00 2021 UTC. Last Modified: Tue Nov 9 19:28:00 2021 UTC
CPE matches: cpe:2.3:a:kaysongroup:php_event_calendar:*:*:*:*:lite:*:*:* && versionEndExcluding=2021-09-03

Description

PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.

Damage

Attack conditions

Damage and attack conditions obtained from CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSSv3)

Type of bug(s)

References