2z project 0.9.6.1 allows remote attackers to obtain sensitive information via (1) a request to index.php with an invalid template or (2) a request to the default URI with certain year and month parameters, which reveals the path in various error messages.
2z Project is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include HTML-injection issues, a cross-site scripting issue, and an arbitrary-file-upload issue.Attackers can exploit these issues to execute arbitrary HTML and script code in the context of the affected site. Successful exploits could allow an attacker to compromise the application, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.2z Project 0.9.6.1 is vulnerable; other versions may also be affected.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: firstname.lastname@example.org.
An attacker can use a browser to exploit these issues.To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URI. The following proof-of-concept URIs are available: /data/vulnerabilities/exploits/27057.html