Description
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to index.php. NOTE: the date parameter vector is already covered by CVE-2008-3886.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by High-Tech Bridge · textwebappsphp
https://www.exploit-db.com/exploits/38043
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/87627
Exploit x_refsource_misc
https://www.htbridge.com/advisory/HTB23124
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/56624
Patch x_refsource_confirm
http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20Version%202.1.7/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/80216
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51332
Scores
EPSS
0.0093
EPSS Percentile
76.2%
Details
CWE
CWE-79
Status
published
Products (1)
dotproject/dotproject
< 2.1.6
Published
Oct 21, 2014
Tracked Since
Feb 18, 2026