Vulnerabilities > Flyspray

DATE CVE VULNERABILITY TITLE RISK
2017-10-11 CVE-2017-15214 Cross-site Scripting vulnerability in Flyspray 1.0
Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to plugins/dokuwiki/lib/plugins/changelinks/syntax.php.
network
flyspray CWE-79
3.5
2017-10-11 CVE-2017-15213 Cross-site Scripting vulnerability in Flyspray 1.0
Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl.
network
flyspray CWE-79
3.5
2012-02-14 CVE-2012-1058 Cross-Site Request Forgery (CSRF) vulnerability in Flyspray 0.9.9.6
Cross-site request forgery (CSRF) vulnerability in Flyspray 0.9.9.6 allows remote attackers to hijack the authentication of admins for requests that add admin accounts via an admin.newuser action to index.php.
network
flyspray CWE-352
6.0
2008-03-05 CVE-2008-1166 Information Exposure vulnerability in Flyspray
Flyspray 0.9.9.4 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames.
network
low complexity
flyspray CWE-200
5.0
2008-03-05 CVE-2008-1165 Cross-Site Scripting vulnerability in Flyspray
Multiple cross-site scripting (XSS) vulnerabilities in Flyspray 0.9.9 through 0.9.9.4 allow remote attackers to inject arbitrary web script or HTML via (1) a forced SQL error message or (2) old_value and new_value database fields in task summaries, related to the item_summary parameter in a details action in index.php.
network
flyspray CWE-79
4.3
2007-12-20 CVE-2007-6461 Cross-Site Scripting vulnerability in Flyspray
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details parameter in a details action, related to the History tab and the getHistory JavaScript function.
network
flyspray CWE-79
4.3
2007-03-31 CVE-2007-1789 Security Bypass And Information Disclosure vulnerability in Flyspray 0.9.9
Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests.
network
flyspray
6.8
2007-03-31 CVE-2007-1788 Security Bypass And Information Disclosure vulnerability in Flyspray 0.9.9
Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request.
network
flyspray
6.8
2006-02-15 CVE-2006-0714 Remote File Include vulnerability in Flyspray 0.9.7
Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a ..
network
low complexity
flyspray
5.0
2005-10-27 CVE-2005-3334 Cross-Site Scripting vulnerability in Flyspray 0.9.7/0.9.8
Cross-site scripting (XSS) vulnerability in index.php in Flyspray 0.9.7 through 0.9.8 (devel) allows remote attackers to inject arbitrary web script or HTML via the (1) PHPSESSID, (2) task, (3) string, (4) type, (5) serv, (6) due, (7) dev, and (8) sort2 parameters.
network
flyspray
4.3