Summary
The host is running dotProject, which is prone to multiple Cross Site Scripting and SQL injection vulnerabilities.
Impact
Successful exploitation will allow attackers to steal cookie based authentication credentials of user and administrator, and can also execute arbitrary code in the browser of an unsuspecting user in the context of an affected site.
Impact Level : Application
Solution
Upgrade to dotProject version 2.1.3 or later
For updates check, http://www.dotproject.net/
Insight
The flaws exists due to,
- improper sanitisation of input value passed to inactive, date, calendar, callback and day_view, public, dialog and ticketsmith parameters in index.php before being returned to the user.
- failing to validate the input passed to the tab and user_id parameter in index.php file, before being used in SQL queries.
Affected
dotProject version 2.1.2 and prior on all platform.
References
Updated on 2017-03-28
Severity
Classification
-
CVE CVE-2008-3886 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- An Image Gallery Multiple Cross-Site Scripting Vulnerability
- Adobe ColdFusion HTTP Response Splitting Vulnerability
- Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14
- 12Planet Chat Server one2planet.infolet.InfoServlet XSS