CVE-2013-3961
Description
SQL injection vulnerability in edit_event.php in Simple PHP Agenda before 2.2.9 allows remote authenticated users to execute arbitrary SQL commands via the eventid parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in Simple PHP Agenda <= 2.2.8 via unsanitized eventid parameter in edit_event.php allows database extraction.
Vulnerability
An authenticated SQL injection vulnerability exists in Simple PHP Agenda versions 2.2.8 and earlier. The flaw is located in the edit_event.php file, where the eventid GET parameter is insufficiently sanitized. The application relies solely on mysql_real_escape_string() which is not adequate to prevent SQL injection attacks when the parameter is used in numeric contexts without proper quoting or type validation [1][2].
Exploitation
An attacker must have a valid user account for the Simple PHP Agenda instance. With this access, the attacker can craft a specially crafted URL containing a SQL injection payload in the eventid parameter, such as: http://vulnerablesite.com/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1 [1][2]. This UNION-based injection allows extraction of arbitrary data from the database.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands, leading to the disclosure of sensitive information, including database credentials and other stored data. This can be escalated to compromise an administrator account by retrieving user credentials directly from the database, as demonstrated in the proof of concept where username and password fields from the users table are dumped [1][2].
Mitigation
The vulnerability is fixed in version 2.2.9 of Simple PHP Agenda. Users should upgrade to this version or later to remediate the issue. As a workaround, administrators must properly sanitize and validate the eventid parameter in edit_event.php, avoiding reliance solely on mysql_real_escape_string() [1][2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28cpe:2.3:a:abeel:simple_php_agenda:*:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:abeel:simple_php_agenda:*:*:*:*:*:*:*:*range: <=2.2.8
- cpe:2.3:a:abeel:simple_php_agenda:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:0.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:abeel:simple_php_agenda:2.2.7:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- packetstormsecurity.com/files/121978/Simple-PHP-Agenda-2.2.8-SQL-Injection.htmlnvdExploitThird Party Advisory
- seclists.org/fulldisclosure/2013/Jun/67nvdExploitIssue Tracking
- www.exploit-db.com/exploits/26136nvdExploit
- www.securityfocus.com/bid/60481nvdExploitThird Party Advisory
- www.webera.fr/advisory-02-php-agenda-isql-exploitnvdExploitThird Party Advisory
- osvdb.org/94141nvdBroken Link
- exchange.xforce.ibmcloud.com/vulnerabilities/84938nvd
News mentions
0No linked articles in our index yet.