CVE-2004-1552 - SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL state

CVE-2004-1552

Summary

SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.

References

http://marc.info/?l=bugtraq&m=109604910025090&w=2
http://secunia.com/advisories/12651
http://secunia.com/advisories/24622
http://www.securityfocus.com/bid/11246
http://www.securityfocus.com/bid/23098
http://www.vupen.com/english/advisories/2007/1093
https://exchange.xforce.ibmcloud.com/vulnerabilities/17506
https://exchange.xforce.ibmcloud.com/vulnerabilities/33157
https://www.exploit-db.com/exploits/3546

Vulnerable Configurations

cpe:2.3:a:full_revolution:aspwebcalendar:4.5:*:*:*:*:*:*:*
cpe:2.3:a:full_revolution:aspwebcalendar:4.5:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	11246 23098
bugtraq	20040923 aspWebCalendar /aspWebAlbum: SQL injection
exploit-db	3546
secunia	12651 24622
vupen	ADV-2007-1093
xf	aspwebcalendar-calendar-sql-injection(33157) aspwebcalendar-sql-injection(17506)

Last major update

11-10-2017 - 01:29

Published

31-12-2004 - 05:00

Last modified

11-10-2017 - 01:29