Test ID:	1.3.6.1.4.1.25623.1.0.900116
Category:	Web application abuses
Title:	dotProject Multiple XSS and SQLi Vulnerabilities
Summary:	dotProject is prone to multiple cross-site scripting (CSS); and SQL injection (SQLi) vulnerabilities.
Description:	Summary: dotProject is prone to multiple cross-site scripting (CSS) and SQL injection (SQLi) vulnerabilities. Vulnerability Insight: The flaws exist due to: - improper sanitisation of input value passed to inactive, date, calendar, callback and day_view, public, dialog and ticketsmith parameters in index.php before being returned to the user. - failing to validate the input passed to the tab and user_id parameter in index.php file, before being used in SQL queries. Vulnerability Impact: Successful exploitation will allow attackers to steal cookie based authentication credentials of user and administrator, and can also execute arbitrary code in the browser of an unsuspecting user in the context of an affected site. Affected Software/OS: dotProject version 2.1.2 and prior on all platform. Solution: Upgrade to dotProject version 2.1.3 or later. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-3886 BugTraq ID: 30924 http://www.securityfocus.com/bid/30924 http://packetstorm.linuxsecurity.com/0808-exploits/dotproject-sqlxss.txt http://secunia.com/advisories/31681 XForce ISS Database: dotproject-inactive-date-xss(44770) https://exchange.xforce.ibmcloud.com/vulnerabilities/44770
Copyright	Copyright (C) 2008 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.