Multiple security vulnerabilities (HTB23126) are found in Achievo version 1.4.5.
- SQL Injection vulnerability in Achievo:
The vulnerability was discovered in the "dispatch.php" script while handling the "activityid" HTTP GET parameter. A remote authenticated attacker can inject and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires that an attacker is logged-in into application (registration is closed by default). - Cross-Site Scripting (XSS) vulnerability in Achievo:
Input sanitation error was found in the "include.php" script when handling the "field" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in user's browser in context of a vulnerable website.
Achievo is flexible web-based resource management software that is suitable for any medium sized company that needs to keep track of its resources, projects, clients, contacts, planning and daily scheduling.
References:
No comments:
Post a Comment