National Cyber-Alert System
Vulnerability Summary for CVE-2006-1479
Original release date:03/29/2006
Last revised:09/05/2008
Source:
US-CERT/NIST
Overview
Multiple cross-site scripting (XSS) vulnerabilities in Serge Rey gtd-php (aka Getting Things Done) 0.5 allow remote attackers to inject arbitrary web script or HTML via the Description field in (1) newProject.php, (2) newList.php, and (3) newWaitingOn.php; the Title field in (4) newProject.php, (5) newList.php, (6) newWaitingOn.php, (7) newChecklist.php, (8) newContext.php, and (9) newGoal.php; the (10) Category Name field in newCategory.php; the (11) listTitle field in listReport.php; the (12) projectName field in projectReport.php; and the (13) checklistTitle field in checklistReport.php.
Impact
CVSS Severity (version 2.0):
Impact Subscore:
2.9
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows unauthorized modification
- Official Statement from (12/03/2007)
-
As of rev445, gtd-php v0.8 beta, available from http://www.gtd-php.com/Main/Download , the vulnerabilities are addressed.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: OSVDB
Name: 24158
External Source: OSVDB
Name: 24157
External Source: OSVDB
Name: 24156
External Source: OSVDB
Name: 24155
External Source: OSVDB
Name: 24154
External Source: OSVDB
Name: 24153
External Source: OSVDB
Name: 24152
External Source: OSVDB
Name: 24151
External Source: OSVDB
Name: 24150
External Source: OSVDB
Name: 24149
External Source: MISC
Name: http://osvdb.org/ref/24/24149-gtd-php.txt
External Source: XF
Name: gtdphp-multiple-scripts-xss(25553)
External Source: BID
Name: 17366
External Source: VUPEN
Name: ADV-2006-1203
External Source: SECUNIA
Name: 19512