dotProject 2.1.6, an open source web-based project management application, suffers from SQL injection, cross-site scripting (XSS) vulnerabilities. Vulnerabilities were discovered by the researcher High-Tech Bridge Security Research Lab.
SQL Injection in dotProject:
Vulnerability exists due to insufficient sanitation of input passed via the "search_string", "where", "dept_id", "project_id", "company_id HTTP GET parameters to the "index.php" script. These vulnerabilities could also be exploited by a remote non-authenticated attacker via CSRF vector.Cross-Site Scripting (XSS) in dotProject:
Input sanitation errors was found in the "index.php" script when handling the "callback", "field", "company_name", "date" HTTP GET parameters.
Vulnerabilities risk level have medium severity.
Solution: Upgrade your dotProject installation to version 2.1.7.
Original advisory: HTB23124: Multiple vulnerabilities in dotProject.
No comments:
Post a Comment