[原文]SQL injection vulnerability in jax_calendar.php in Jax Calendar 1.34 allows remote attackers to execute arbitrary SQL commands via the (1) cal_id parameter, and possibly the (2) Y and (3) m parameters.
Jax Calendar contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the jax_calendar.php script not properly sanitizing user-supplied input to the cal_id variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.