Multiple vulnerabilities in dotProject
|Vulnerable Versions:||2.1.6 and probably prior|
|Advisory Publication:||October 31, 2012 [without technical details]|
|Vendor Notification:||October 31, 2012|
|Vendor Fix:||November 7, 2012|
|Public Disclosure:||November 21, 2012|
|Latest Update:||November 15, 2012|
|Vulnerability Type:||SQL Injection [CWE-89]|
Cross-Site Scripting [CWE-79]
|CVSSv2 Base Scores:||6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in dotProject, which can be exploited to perform SQL injection and cross-site scripting (XSS) attacks.
|Upgrade to dotProject 2.1.7|
| High-Tech Bridge Advisory HTB23124 - https://www.htbridge.com/advisory/HTB23124 - Multiple vulnerabilities in dotProject.|
 dotProject - http://www.dotproject.net - dotProject is a volunteer supported Project Management application.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.