htdocs/setup/index.php in Eventum prior to 2.3.5 allows remote malicious users to inject and execute arbitrary PHP code via the hostname parameter.
eventum project eventum