CVE-2017-20268

Received Received - Intake

SQL Injection in Zap Calendar Lite Component

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description

Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-19

Last Modified

2026-06-19

Generated

2026-06-19

AI Q&A

2026-06-19

EPSS Evaluated

N/A

NVD

CVE-2017-20268

EUVD

EUVD-2017-18995

Affected Vendors & Products

Vendor	Product	Version / Range
joomla	component_zap_calendar_lite	4.3.4
joomla	component_zap_calendar_lite	to 4.3.4 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2017-20268 is an SQL injection vulnerability found in Joomla! Component Zap Calendar Lite version 4.3.4 and earlier.

This flaw allows unauthenticated attackers to inject malicious SQL code through the 'eid' parameter by sending crafted GET requests to the RSVP plugin endpoint.

By exploiting this vulnerability, attackers can execute arbitrary SQL queries to extract sensitive database information such as database names and table structures.

Compliance Impact

The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information, including database names and table structures.

Such unauthorized access to sensitive data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or breaches.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.

Impact Analysis

This vulnerability can have a significant impact as it allows attackers to access sensitive database information without authentication.

Attackers can extract critical data like database names and table structures, which could lead to unauthorized data disclosure or further exploitation.

The high severity rating (CVSS score 8.8) indicates a substantial risk of data compromise and potential damage to the affected system.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious GET requests targeting the RSVP plugin endpoint of the Joomla! Component Zap Calendar Lite, specifically those manipulating the 'eid' parameter with SQL injection payloads.

A practical detection method is to look for HTTP requests matching the vulnerable URL pattern and containing unusual SQL syntax in the 'eid' parameter.

Example command using curl to test for the vulnerability by injecting a simple SQL payload:

curl "http://[target]/index.php?option=com_zcalendar&view=plugin&name=rsvp&task=rsvpform&user=&eid=1' OR '1'='1&format=raw"

Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such suspicious requests containing SQL keywords or typical injection patterns in the 'eid' parameter.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable RSVP plugin endpoint and applying input validation or sanitization on the 'eid' parameter to prevent SQL injection.

If possible, update or patch the Joomla! Component Zap Calendar Lite to a version that addresses this vulnerability.

As a temporary measure, consider disabling the RSVP plugin or the Zap Calendar Lite component until a fix is applied.

Additionally, implement web application firewall rules to block malicious SQL injection attempts targeting the 'eid' parameter.

Hi! I’m here to help you understand CVE-2017-20268. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2017-20268

SQL Injection in Zap Calendar Lite Component

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart