HomePentest-Tools.com Logo

BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities CVE-2010-3266CVE-2010-3267

Severity
Not available
CVSSv3 Score
Not available
Vulnerability description

BugTracker.NET is prone to cross-site scripting and SQL injection vulnerabilities.

Risk description

The flaws are due to: - Input passed to the pcd parameter in edit_bug.aspx, bug_id parameter in edit_comment.aspx, default_name parameter in edit_customfield.aspx, and id parameter in edit_user_permissions2.aspx is not properly sanitised before being returned to the user. - Input passed via the qu_id parameter to bugs.aspx, row_id parameter to delete_query.aspx, us_id and new_project parameters to edit_bug.aspx, and bug_list parameter to massedit.aspx is not properly sanitised before being used in a SQL query. Successful exploitation will allow attacker to cause SQL Injection attack and to conduct cross-site scripting attacks.

Recommendation

Upgrade to BugTracker.NET version 3.4.5 or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Dec 2, 2010
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available