[Japanese]

JVNDB-2006-000622

dotProject cross-site scripting vulnerability

Overview

dotProject, an open source project management tool, contains a cross-site scripting vulnerability.

As of June 5, 2006, it is confirmed that Internet Explorer is affected by this vulnerability. It is also confirmed that Mozilla Firefox and Opera are not affected by this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


dotProject
  • dotProject 2.0.2 and earlier

Impact

An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking.
Solution

Vendor Information

dotProject
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2006-2851
References

  1. JVN : JVN#97636431
  2. National Vulnerability Database (NVD) : CVE-2006-2851
  3. Secunia Advisory : SA20418
  4. SecurityFocus : 18275
  5. FrSIRT Advisories : FrSIRT/ADV-2006-2124
Revision History

  • [2008/05/21]
      Web page published