Vulnerabilities > Dotproject
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-10-21 | CVE-2012-5702 | Cross-Site Scripting vulnerability in Dotproject 2.1.6 Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to index.php. | 4.3 |
| 2014-10-20 | CVE-2012-5701 | Cross-Site Request Forgery (CSRF) vulnerability in Dotproject 2.1.6 Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project action, or (5) company_id parameter in a system action to index.php. | 6.8 |
| 2011-09-23 | CVE-2011-3729 | Information Exposure vulnerability in Dotproject 2.1.4 dotproject 2.1.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by style/dp-grey-theme/footer.php and certain other files. | 5.0 |
| 2009-04-23 | CVE-2008-6747 | Permissions, Privileges, and Access Controls vulnerability in Dotproject dotProject before 2.1.2 does not properly restrict access to administrative pages, which allows remote attackers to gain privileges. | 6.8 |
| 2008-09-02 | CVE-2008-3887 | SQL Injection vulnerability in Dotproject 2.1.2 Multiple SQL injection vulnerabilities in index.php in dotProject 2.1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the tab parameter in a projects action, and (2) remote authenticated administrators to execute arbitrary SQL commands via the user_id parameter in a viewuser action. | 6.0 |
| 2008-09-02 | CVE-2008-3886 | Cross-Site Scripting vulnerability in Dotproject 2.1.2 Multiple cross-site scripting (XSS) vulnerabilities in index.php in dotProject 2.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) the inactive parameter in a tasks action, (2) the date parameter in a calendar day_view action, (3) the callback parameter in a public calendar action, or (4) the type parameter in a ticketsmith action. | 4.3 |
| 2007-10-16 | CVE-2007-5486 | Permissions, Privileges, and Access Controls vulnerability in Dotproject dotProject before 2.1 does not properly check privileges when invoking the Companies module, which allows remote attackers to access this module via a crafted URL. | 6.4 |
| 2007-06-14 | CVE-2007-3226 | Parameters Cross-Site Scripting vulnerability in Dotproject 2.1 Cross-site scripting (XSS) vulnerability in dotProject before 2.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2006-2851 and CVE-2006-3240. network dotproject | 4.3 |
| 2006-08-18 | CVE-2006-4234 | Remote File Include vulnerability in DotProject Query.Class.PHP PHP remote file inclusion vulnerability in classes/query.class.php in dotProject 2.0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter. | 7.5 |
| 2006-06-27 | CVE-2006-3240 | Cross-Site Scripting vulnerability in Dotproject 2.0/2.0.1/2.0.2 Cross-site scripting (XSS) vulnerability in classes/ui.class.php in dotProject 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter. | 4.3 |