← Retour aux CVEs
CVE-2021-42077
CRITICAL9.8
Description
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie11/8/2021
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
kaysongroup:php_event_calendar
Faiblesses (CWE)
CWE-89
References
http://packetstormsecurity.com/files/164777/PHP-Event-Calendar-Lite-Edition-SQL-Injection.html(cve@mitre.org)
http://packetstormsecurity.com/files/164777/PHP-Event-Calendar-Lite-Edition-SQL-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txt(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.