I am running Joomla 3.6.5 (just upgraded from 3.6.3) with JEvents 3.4.33 (just upgraded from 3.4.17). The system has PHP 5.5.38 and Mysql 5.5.54. Our network admin just informed me that there is a SQL injection with
http://mysite/index.php/events/calendar/eventsbyyear/2012/1*
from which I can get everything about the database. I confirmed that with sqlmap. So I upgraded Joomla and JEvents, as mentioned above, but the problem remains. Any suggestions?