Redaxo CMS Addon MyEvents SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Redaxo CMS Addon MyEvents version 2.2.1. This vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the 'myevents_id' parameter. Exploitation involves sending GET requests to the 'event_add.php' page with malicious 'myevents_id' values, which could lead to the extraction or modification of sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could result in unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the 'event_add.php' page within the MyEvents addon. The request must include a crafted 'myevents_id' parameter that contains malicious SQL code. This injection can then be used to manipulate the database query and access or modify sensitive information.