Information from Thinkingreed Inc.
Vulnerability ID:JVN#67822421
Title:OSS Calendar vulnerable to SQL injection
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
A vulnerability has been identified in OSS Calendar.
Affected Products:
OSS Calendar prior to Version 2.0.3.
Summary:
A user who is logged in to the OSS Calendar could execute an SQL Injection attack.
Impact:
These impacts will occur when an attacker who is logged into the OSS Calendar exploits the vulnerability.
- Information theft and tampering
- System destruction
The impact according to CVSS v3 is as follows:
Severity: Important
CVSS v3 Base Score: 8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Workaround:
This vulnerability can only be exploited when an attacker is logged into the OSS Calendar.
To bypass the impact, consider implementing the following workarounds:
- Limit access to trusted sources.
- Delete unnecessary accounts.
- Use more complex and strong passwords in place of simple and weak ones.
Solution:
Update to the OSS Calendar version 2.0.3.
For instructions on how to upgrade, please refer to README.md on GitHub.
Furthermore, for customers under our support contract at Thinkingreed, individual corrections have already been completed to address this vulnerability. We hope this provides you with peace of mind.