CVE-2021-42077

Name of the Vulnerable Software and Affected Versions PHP Event Calendar versions prior to 2021-09-03

Description The issue allows SQL injection, as demonstrated by the "/server/ajax/user manager.php" endpoint, specifically the username parameter. This can be used to execute SQL statements directly on the database, potentially allowing an adversary to compromise the database system or bypass the login form.

Recommendations For versions prior to 2021-09-03, update to a version released after 2021-09-03 to resolve the issue. As a temporary workaround, consider restricting access to the "/server/ajax/user manager.php" endpoint or sanitizing the username parameter to minimize the risk of exploitation.