Multiple cross-site scripting (XSS) vulnerabilities in ProjeQtOr (formerly Project'Or RIA) before 4.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to view/parameter.php, (2) p1value parameter to view/main.php, or (3) objectClass parameter to view/objectDetail.php.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| projeqtor | projeqtor | 1.5.5 |
| projeqtor | projeqtor | 3.1.4 |
| projeqtor | projeqtor | 1.6.2 |
| projeqtor | projeqtor | 2.2.3 |
| projeqtor | projeqtor | 3.1.1 |
| projeqtor | projeqtor | 0.8.1 |
| projeqtor | projeqtor | 3.2.1 |
| projeqtor | projeqtor | 0.4.0 |
| projeqtor | projeqtor | 1.9.0 |
| projeqtor | projeqtor | 3.1.2 |
| projeqtor | projeqtor | 1.4.0 |
| projeqtor | projeqtor | 3.4.1 |
| projeqtor | projeqtor | 1.4.1 |
| projeqtor | projeqtor | 1.5.1 |
| projeqtor | projeqtor | 0.2.0 |
| projeqtor | projeqtor | 1.3.1 |
| projeqtor | projeqtor | 0.5.0 |
| projeqtor | projeqtor | 3.0.1 |
| projeqtor | projeqtor | 0.7.0 |
| projeqtor | projeqtor | 1.7.0 |
| projeqtor | projeqtor | 0.9.0 |
| projeqtor | projeqtor | 3.1.0 |
| projeqtor | projeqtor | 3.4.0 |
| projeqtor | projeqtor | 2.4.2 |
| projeqtor | projeqtor | 2.1.0 |
| projeqtor | projeqtor | 3.4.3 |
| projeqtor | projeqtor | 1.0.1 |
| projeqtor | projeqtor | 0.3.0 |
| projeqtor | projeqtor | 2.5.2 |
| projeqtor | projeqtor | 3.2.2 |
| projeqtor | projeqtor | 3.3.0 |
| projeqtor | projeqtor | 2.6.2 |
| projeqtor | projeqtor | 3.0.2 |
| projeqtor | projeqtor | 3.3.2 |
| projeqtor | projeqtor | * |
| projeqtor | projeqtor | 2.6.0 |
| projeqtor | projeqtor | 3.4.2 |
| projeqtor | projeqtor | 0.8.0 |
| projeqtor | projeqtor | 1.4.2 |
| projeqtor | projeqtor | 1.7.1 |
| projeqtor | projeqtor | 1.7.2 |
| projeqtor | projeqtor | 2.2.0 |
| projeqtor | projeqtor | 2.5.3 |
| projeqtor | projeqtor | 1.8.0 |
| projeqtor | projeqtor | 1.5.3 |
| projeqtor | projeqtor | 1.8.3 |
| projeqtor | projeqtor | 2.2.1 |
| projeqtor | projeqtor | 2.1.1 |
| projeqtor | projeqtor | 1.2.1 |
| projeqtor | projeqtor | 1.1.0 |
| projeqtor | projeqtor | 1.9.1 |
| projeqtor | projeqtor | 0.6.1 |
| projeqtor | projeqtor | 1.6.1 |
| projeqtor | projeqtor | 2.2.2 |
| projeqtor | projeqtor | 2.6.3 |
| projeqtor | projeqtor | 1.5.0 |
| projeqtor | projeqtor | 1.5.2 |
| projeqtor | projeqtor | 1.5.4 |
| projeqtor | projeqtor | 3.3.1 |
| projeqtor | projeqtor | 2.5.0 |
| projeqtor | projeqtor | 3.2.0 |
| projeqtor | projeqtor | 2.4.1 |
| projeqtor | projeqtor | 0.1.0 |
| projeqtor | projeqtor | 2.0.0 |
| projeqtor | projeqtor | 3.1.3 |
| projeqtor | projeqtor | 2.4.0 |
| projeqtor | projeqtor | 1.0.0 |
| projeqtor | projeqtor | 1.2.0 |
| projeqtor | projeqtor | 2.6.1 |
| projeqtor | projeqtor | 1.8.2 |
| projeqtor | projeqtor | 1.3.0 |
| projeqtor | projeqtor | 1.6.0 |
| projeqtor | projeqtor | 2.0.1 |
| projeqtor | projeqtor | 2.5.1 |
| projeqtor | projeqtor | 2.3.0 |
| projeqtor | projeqtor | 1.8.1 |
| projeqtor | projeqtor | 2.4.3 |
| projeqtor | projeqtor | 0.6.0 |
| projeqtor | projeqtor | 3.0.0 |
SQL injection vulnerability in view/objectDetail.php in Project'Or RIA 3.4.0 allows remote attackers to execute arbitrary SQL commands via the objectId parameter.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| projeqtor | projeqtor | 3.4.0 |
uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| projeqtor | projeqtor | * |
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-459,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| projeqtor | projeqtor | * |
A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 via /projeqtor/tool/saveAttachment.php, which allows an attacker to upload a SVG file containing malicious JavaScript code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 3.1 | 6.0 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| projeqtor | projeqtor | * |
Cross Site Scripting (XSS) vulnerability in ProjeQtOr 11.0.2 allows a remote attacker to execute arbitrary code via a crafted script to thecheckvalidHtmlText function in the ack.php and security.php files.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| projeqtor | projeqtor | * |