Vulnerabilities > Dotproject > Dotproject > 2.1.6
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-10-21 | CVE-2012-5702 | Cross-Site Scripting vulnerability in Dotproject 2.1.6 Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to index.php. | 4.3 |
2014-10-20 | CVE-2012-5701 | Cross-Site Request Forgery (CSRF) vulnerability in Dotproject 2.1.6 Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project action, or (5) company_id parameter in a system action to index.php. | 6.8 |