CVE-2009-0730

Name of the Vulnerable Software and Affected Versions GigCalendar (com gigcal) component version 1.0 for Mambo and Joomla!

Description The issue allows remote attackers to execute arbitrary SQL commands when magic quotes gpc is disabled. This is possible via the gigcal venues id parameter in a details action to "index.php", which is not properly handled by venuedetails.php, and the gigcal bands id parameter in a details action to "index.php", which is not properly handled by banddetails.php.

Recommendations For GigCalendar (com gigcal) component version 1.0, consider disabling the parameters gigcal venues id and gigcal bands id in the affected API endpoints until a patch is available. Restrict access to the venuedetails.php and banddetails.php files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.