{"edition": 1, "title": "Ocean12 Calendar Manager Pro admin/main.asp date Variable SQL Injection", "bulletinFamily": "software", "published": "2006-05-08T11:17:33", "lastseen": "2017-04-28T13:20:22", "history": [], "modified": "2006-05-08T11:17:33", "reporter": "Dj_Eyes(dj_eyes2005@yahoo.com)", "hash": "85604d7809af177f7baed59dd10cdbab155ea31ddd065cc003e238d2c1f0e2a7", "viewCount": 1, "href": "https://vulners.com/osvdb/OSVDB:25344", "description": "## Vulnerability Description\nOcean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/main.asp' script not properly sanitizing user-supplied input to the 'date' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOcean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/main.asp' script not properly sanitizing user-supplied input to the 'date' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.ocean12scripts.com/products/calendar/\n[Secunia Advisory ID:20036](https://secuniaresearch.flexerasoftware.com/advisories/20036/)\n[Related OSVDB ID: 25345](https://vulners.com/osvdb/OSVDB:25345)\n[Related OSVDB ID: 25346](https://vulners.com/osvdb/OSVDB:25346)\n[Related OSVDB ID: 25347](https://vulners.com/osvdb/OSVDB:25347)\nISS X-Force ID: 26334\nFrSIRT Advisory: ADV-2006-1705\n[CVE-2006-2264](https://vulners.com/cve/CVE-2006-2264)\nBugtraq ID: 17877\n", "affectedSoftware": [{"name": "Calendar Manager Pro", "version": "1.00", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "3d5fd5bfd74c6c196ed941a150dea53e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "7fd5bae5afa5cec52c3aa2cec805d353"}, {"key": "cvss", "hash": "9acfc3ecd06539a3534549fd05dfad8e"}, {"key": "description", "hash": "0f19d4b91a6c62b918983b8b6364107e"}, {"key": "href", "hash": "177be6f6d70fe932e3dcb33c41ad54b2"}, {"key": "modified", "hash": "68c9ad621d3956ec0ae8078c20824d6a"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "68c9ad621d3956ec0ae8078c20824d6a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "0a31185d99c26ca90fb6111fbb6bcfb6"}, {"key": "title", "hash": "fbbbf1abc17065232d6dba5f3ece8dee"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2017-04-28T13:20:22"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-2264"]}, {"type": "osvdb", "idList": ["OSVDB:25345", "OSVDB:25346"]}, {"type": "exploitdb", "idList": ["EDB-ID:27825", "EDB-ID:27827", "EDB-ID:27826"]}], "modified": "2017-04-28T13:20:22"}, "vulnersScore": 7.6}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.5}, "cvelist": ["CVE-2006-2264"], "id": "OSVDB:25344"}

{"cve": [{"lastseen": "2019-05-29T18:08:32", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in Ocean12 Calendar Manager Pro 1.00 allow remote attackers to execute arbitrary SQL commands via the (1) date parameter to admin/main.asp, (2) SearchFor parameter to admin/view.asp, or (3) ID parameter to admin/edit.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.", "modified": "2017-07-20T01:31:00", "id": "CVE-2006-2264", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2264", "published": "2006-05-09T10:02:00", "title": "CVE-2006-2264", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T06:49:25", "bulletinFamily": "exploit", "description": "Ocean12 Technologies Calendar Manager Pro 1.0 1 admin/main.asp date Parameter SQL Injection. CVE-2006-2264. Webapps exploit for asp platform", "modified": "2006-05-08T00:00:00", "published": "2006-05-08T00:00:00", "id": "EDB-ID:27825", "href": "https://www.exploit-db.com/exploits/27825/", "type": "exploitdb", "title": "Ocean12 Technologies Calendar Manager Pro 1.0 1 admin/main.asp date Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/17877/info\r\n\r\nCalendar Manager Pro is prone to multiple input-validation vulnerabilities. The issues include cross-site scripting and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. \r\n\r\nA successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.\r\n\r\nhttp://www.example.com/path/admin/main.asp?date=[SQL]", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27825/"}, {"lastseen": "2016-02-03T06:49:42", "bulletinFamily": "exploit", "description": "Ocean12 Technologies Calendar Manager Pro 1.0 1 admin/edit.asp ID Parameter SQL Injection. CVE-2006-2264. Webapps exploit for asp platform", "modified": "2006-05-08T00:00:00", "published": "2006-05-08T00:00:00", "id": "EDB-ID:27827", "href": "https://www.exploit-db.com/exploits/27827/", "type": "exploitdb", "title": "Ocean12 Technologies Calendar Manager Pro 1.0 1 admin/edit.asp ID Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/17877/info\r\n \r\nCalendar Manager Pro is prone to multiple input-validation vulnerabilities. The issues include cross-site scripting and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. \r\n \r\nA successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.\r\n \r\nhttp://www.example.com/patj/admin/edit.asp?ID=[SLQ]", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27827/"}, {"lastseen": "2016-02-03T06:49:33", "bulletinFamily": "exploit", "description": "Ocean12 Technologies Calendar Manager Pro 1.0 1 admin/view.asp SearchFor Parameter SQL Injection. CVE-2006-2264. Webapps exploit for asp platform", "modified": "2006-05-08T00:00:00", "published": "2006-05-08T00:00:00", "id": "EDB-ID:27826", "href": "https://www.exploit-db.com/exploits/27826/", "type": "exploitdb", "title": "Ocean12 Technologies Calendar Manager Pro 1.0 1 admin/view.asp SearchFor Parameter SQL Injection", "sourceData": "source: http://www.securityfocus.com/bid/17877/info\r\n \r\nCalendar Manager Pro is prone to multiple input-validation vulnerabilities. The issues include cross-site scripting and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. \r\n \r\nA successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.\r\n\r\nhttp://www.example.com/path/admin/view.asp?SearchFor=[SQL]", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27826/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:22", "bulletinFamily": "software", "description": "## Vulnerability Description\nOcean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/edit.asp' script not properly sanitizing user-supplied input to the 'ID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOcean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/edit.asp' script not properly sanitizing user-supplied input to the 'ID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.ocean12scripts.com/products/calendar/\n[Secunia Advisory ID:20036](https://secuniaresearch.flexerasoftware.com/advisories/20036/)\n[Related OSVDB ID: 25344](https://vulners.com/osvdb/OSVDB:25344)\n[Related OSVDB ID: 25345](https://vulners.com/osvdb/OSVDB:25345)\n[Related OSVDB ID: 25347](https://vulners.com/osvdb/OSVDB:25347)\nISS X-Force ID: 26334\nFrSIRT Advisory: ADV-2006-1705\n[CVE-2006-2264](https://vulners.com/cve/CVE-2006-2264)\nBugtraq ID: 17877\n", "modified": "2006-05-08T11:17:33", "published": "2006-05-08T11:17:33", "href": "https://vulners.com/osvdb/OSVDB:25346", "id": "OSVDB:25346", "title": "Ocean12 Calendar Manager Pro admin/edit.asp ID Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:22", "bulletinFamily": "software", "description": "## Vulnerability Description\nOcean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/view.asp' script not properly sanitizing user-supplied input to the 'SearchFor' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOcean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/view.asp' script not properly sanitizing user-supplied input to the 'SearchFor' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.ocean12scripts.com/products/calendar/\n[Secunia Advisory ID:20036](https://secuniaresearch.flexerasoftware.com/advisories/20036/)\n[Related OSVDB ID: 25344](https://vulners.com/osvdb/OSVDB:25344)\n[Related OSVDB ID: 25346](https://vulners.com/osvdb/OSVDB:25346)\n[Related OSVDB ID: 25347](https://vulners.com/osvdb/OSVDB:25347)\nISS X-Force ID: 26334\nFrSIRT Advisory: ADV-2006-1705\n[CVE-2006-2264](https://vulners.com/cve/CVE-2006-2264)\nBugtraq ID: 17877\n", "modified": "2006-05-08T11:17:33", "published": "2006-05-08T11:17:33", "href": "https://vulners.com/osvdb/OSVDB:25345", "id": "OSVDB:25345", "title": "Ocean12 Calendar Manager Pro admin/view.asp SearchFor Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}