CVE-2021-42077

CRITICAL

PHP Event Calendar < 2021-09-03 - SQL Injection via User Manager Username Parameter

Title source: llm
STIX 2.1

Description

PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.

References (2)

Core 2
Core References

Scores

CVSS v3 9.8
EPSS 0.0243
EPSS Percentile 82.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
kaysongroup/php_event_calendar < 2021-09-03
Published Nov 08, 2021
Tracked Since Feb 18, 2026