[Japanese]

JVNDB-2007-000454

dotProject cross-site scripting vulnerability

Overview

dotProject, an open source project management tool, contains a cross-site scripting vulnerability.

This vulnerability is different from JVN#97636431.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

dotProject
  • dotProject 2.0.4 and earlier
Impact

An arbitrary script may be executed on the user's web browser. In particular, if session information from a cookie is leaked, session hijacking could be conducted.
Solution

[Update the Software]

The developer has released dotProject version 2.1 RC2 that addresses this vulnerability. We recommend that users upgrade to the version.
Vendor Information

dotProject
References

  1. JVN : JVN#63602912
  2. National Vulnerability Database (NVD) : CVE-2007-3226
  3. Common Vulnerabilities and Exposures (CVE) : CVE-2007-3226
  4. Secunia Advisory : SA25638
Revision History

[2008/05/21]
  Web page published

Date Public2007/06/14
Date First Published2008/05/21
Date Last Updated2008/05/21