CVE-2021-42077
Last modified
CVE-2021-42077 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. EPSS estimates a 2.43% chance of exploitation in the next 30 days.
Description
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Kaysongroup | Php Event Calendar | < 2021-09-03 |
References
- http://packetstormsecurity.com/files/164777/PHP-Event-Calendar-Lite-Edition-SQL-Injection.htmlExploit, Third Party Advisory, VDB Entry
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txtExploit, Third Party Advisory
- http://packetstormsecurity.com/files/164777/PHP-Event-Calendar-Lite-Edition-SQL-Injection.htmlExploit, Third Party Advisory, VDB Entry
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-048.txtExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-42077?
How severe is CVE-2021-42077?
How do I fix CVE-2021-42077?
Are you affected by CVE-2021-42077?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST