[原文]Multiple SQL injection vulnerabilities in Aaron Outpost ASP Inline Corporate Calendar allow remote attackers to execute arbitrary SQL commands via the Event_ID parameter to (1) defer.asp or (2) details.asp.
ASP Inline Corporate Calendar defer.asp Event_ID Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
ASP Inline Corporate Calendar contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the 'Event_ID' variable in the defer.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.