Description
Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the category_id parameter. Attackers can send GET requests to the events view with malicious SQL code in the category_id parameter to extract sensitive database information.
Problem types
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
Credits
Ihsan Sencan
References
www.exploit-db.com/exploits/42501 (ExploitDB-42501)
joomlathat.com/ (Official Product Homepage)
extensions.joomla.org/...s-a-events/events/calendar-planner/ (Product Reference)
www.vulncheck.com/...omponent-calendar-planner-sql-injection (VulnCheck Advisory: Joomla! Component Calendar Planner 1.0.1 SQL Injection)