ID CVE-2005-4011 Type cve Reporter cve@mitre.org Modified 2018-10-19T15:39:00
Description
SQL injection vulnerability in calendar.php in Codewalkers ltwCalendar (aka PHP Event Calendar) 4.2, 4.1.3, and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
{"osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "description": "## Vulnerability Description\nItwCalendar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the calendar.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 4.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nItwCalendar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the calendar.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\n/calendar.php?display=event&id=[SQL]\n## References:\nVendor URL: http://calendar.codewalkers.com/\nVendor Specific News/Changelog Entry: http://ltwcalendar.sourceforge.net/changelog.php\n[Secunia Advisory ID:17799](https://secuniaresearch.flexerasoftware.com/advisories/17799/)\nOther Advisory URL: http://pridels.blogspot.com/2005/11/codewalkers-ltwcalendar-4x-sql-inj.html\nMail List Post: http://attrition.org/pipermail/vim/2006-December/001154.html\nISS X-Force ID: 23312\n[CVE-2005-4011](https://vulners.com/cve/CVE-2005-4011)\n", "modified": "2005-11-29T10:19:48", "published": "2005-11-29T10:19:48", "href": "https://vulners.com/osvdb/OSVDB:21195", "id": "OSVDB:21195", "title": "ltwCalendar calendar.php id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nPHP Event Calendar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 4.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHP Event Calendar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\n/calendar.php?display=event&id=[SQL]\n## References:\nVendor URL: http://calendar.codewalkers.com/\nSecurity Tracker: 1016364\n[Secunia Advisory ID:17799](https://secuniaresearch.flexerasoftware.com/advisories/17799/)\nOther Advisory URL: http://pridels.blogspot.com/2005...kers-ltwcalendar-4x-sql-inj.html\nOther Advisory URL: http://www.Silitix.com/calendar-cws.php\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0503.html\nKeyword: ltwCalendar\nISS X-Force ID: 27362\nISS X-Force ID: 23312\n[CVE-2006-3248](https://vulners.com/cve/CVE-2006-3248)\n[CVE-2005-4011](https://vulners.com/cve/CVE-2005-4011)\nBugtraq ID: 18593\n", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:27539", "id": "OSVDB:27539", "title": "Codewalkers PHP Event Calendar calendar.php id Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T07:24:00", "bulletinFamily": "exploit", "description": "PHP Event Calendar 4.2 SQL Injection Vulnerability. CVE-2005-4011. Webapps exploit for php platform", "modified": "2006-06-22T00:00:00", "published": "2006-06-22T00:00:00", "id": "EDB-ID:28088", "href": "https://www.exploit-db.com/exploits/28088/", "type": "exploitdb", "title": "PHP Event Calendar 4.2 - SQL Injection Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/18593/info\r\n\r\nPHP Event Calendar is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.\r\n\r\nA successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.\r\n\r\nhttp://www.example.com/calendar.php?display=event&id=[SQL]", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28088/"}]}