- Description
- Multiple SQL injection vulnerabilities in 1WebCalendar 4.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) EventID parameter in viewEvent.cfm, (2) NewsID parameter in newsView.cfm, or (3) ThisDate parameter in mainCal.cfm.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:N/I:P/A:N
- Hype score
- Not currently trending
- Benson SolutionsWebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benson_it_solutions:1webcalendar:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "643C9F88-65F9-48F7-93CB-A28549228A3F",
"versionEndIncluding": "4.0"
}
],
"operator": "OR"
}
]
}
]