MidnightBSD

Advisories for achievo

CVE-2002-1435 HIGH

class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except 0.8.2, allows remote attackers to execute arbitrary PHP code when the 'allow_url_fopen' setting is enabled via a URL in the config_atkroot parameter that points to the code.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
achievo achievo 0.8.0_rc2
achievo achievo 0.9.1
achievo achievo 0.7.1
achievo achievo 0.8.0
achievo achievo 0.8.1
achievo achievo 0.7.3
achievo achievo 0.7.2
achievo achievo 0.8.0_rc1
achievo achievo 0.9.0
achievo achievo 0.7.0
CVE-2006-2688 MEDIUM

SQL injection vulnerability in the employees node (class.employee.inc) in Achievo 1.1.0 and earlier and 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the atkselector parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
achievo achievo 1.1.0
achievo achievo 1.2.0
CVE-2011-3697 MEDIUM

Achievo 1.4.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/graph/jpgraph/jpgraph_radar.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
achievo achievo 1.4.5
CVE-2012-5865 MEDIUM

SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows remote authenticated users to execute arbitrary SQL commands via the activityid parameter in a stats action.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
achievo achievo 1.4.5
CVE-2012-5866 MEDIUM

Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
achievo achievo 1.4.5