Vulnerabilities > Dotproject
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-10-21 | CVE-2012-5702 | Cross-Site Scripting vulnerability in Dotproject 2.1.6 Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to index.php. | 4.3 |
| 2014-10-20 | CVE-2012-5701 | Cross-Site Request Forgery (CSRF) vulnerability in Dotproject 2.1.6 Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project action, or (5) company_id parameter in a system action to index.php. | 6.8 |
| 2011-09-23 | CVE-2011-3729 | Information Exposure vulnerability in Dotproject 2.1.4 dotproject 2.1.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by style/dp-grey-theme/footer.php and certain other files. | 5.0 |
| 2009-04-23 | CVE-2008-6747 | Permissions, Privileges, and Access Controls vulnerability in Dotproject dotProject before 2.1.2 does not properly restrict access to administrative pages, which allows remote attackers to gain privileges. | 6.8 |
| 2008-09-02 | CVE-2008-3887 | SQL Injection vulnerability in Dotproject 2.1.2 Multiple SQL injection vulnerabilities in index.php in dotProject 2.1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the tab parameter in a projects action, and (2) remote authenticated administrators to execute arbitrary SQL commands via the user_id parameter in a viewuser action. | 6.0 |
| 2008-09-02 | CVE-2008-3886 | Cross-Site Scripting vulnerability in Dotproject 2.1.2 Multiple cross-site scripting (XSS) vulnerabilities in index.php in dotProject 2.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) the inactive parameter in a tasks action, (2) the date parameter in a calendar day_view action, (3) the callback parameter in a public calendar action, or (4) the type parameter in a ticketsmith action. | 4.3 |
| 2007-10-16 | CVE-2007-5486 | Permissions, Privileges, and Access Controls vulnerability in Dotproject dotProject before 2.1 does not properly check privileges when invoking the Companies module, which allows remote attackers to access this module via a crafted URL. | 6.4 |
| 2007-06-14 | CVE-2007-3226 | Parameters Cross-Site Scripting vulnerability in Dotproject 2.1 Cross-site scripting (XSS) vulnerability in dotProject before 2.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2006-2851 and CVE-2006-3240. network dotproject | 4.3 |
| 2006-08-18 | CVE-2006-4234 | Remote File Include vulnerability in DotProject Query.Class.PHP PHP remote file inclusion vulnerability in classes/query.class.php in dotProject 2.0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter. | 7.5 |
| 2006-06-06 | CVE-2006-2851 | Cross-Site Scripting vulnerability in Dotproject 2.0/2.0.1/2.0.2 Cross-site scripting (XSS) vulnerability in index.php in dotProject 2.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, which are not properly handled when the client is using Internet Explorer. network dotproject | 4.3 |