Flyspray
by Flyspray
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-15214 | Med | 0.35 | 5.4 | 0.01 | Oct 11, 2017 | Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to… | ||
| CVE-2017-15213 | Med | 0.35 | 5.4 | 0.01 | Oct 11, 2017 | Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl. | ||
| CVE-2006-0714 | 0.04 | — | 0.08 | Feb 15, 2006 | Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the adodbpath parameter. | |||
| CVE-2012-1058 | 0.03 | — | 0.01 | Feb 14, 2012 | Cross-site request forgery (CSRF) vulnerability in Flyspray 0.9.9.6 allows remote attackers to hijack the authentication of admins for requests that add admin accounts via an admin.newuser action to index.php. | |||
| CVE-2006-6203 | 0.03 | — | 0.03 | Dec 1, 2006 | Directory traversal vulnerability in startdown.php in the Flyspray ME 1.0.1 (com_flyspray) component for Mambo allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. | |||
| CVE-2005-3334 | 0.03 | — | 0.05 | Oct 27, 2005 | Cross-site scripting (XSS) vulnerability in index.php in Flyspray 0.9.7 through 0.9.8 (devel) allows remote attackers to inject arbitrary web script or HTML via the (1) PHPSESSID, (2) task, (3) string, (4) type, (5) serv, (6) due, (7) dev, and (8) sort2 parameters. | |||
| CVE-2008-1166 | 0.00 | — | 0.01 | Mar 5, 2008 | Flyspray 0.9.9.4 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames. | |||
| CVE-2008-1165 | 0.00 | — | 0.01 | Mar 5, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Flyspray 0.9.9 through 0.9.9.4 allow remote attackers to inject arbitrary web script or HTML via (1) a forced SQL error message or (2) old_value and new_value database fields in task summaries, related to the item_summary… | |||
| CVE-2007-6461 | 0.00 | — | 0.01 | Dec 20, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details… | |||
| CVE-2007-1789 | 0.00 | — | 0.01 | Mar 31, 2007 | Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests. | |||
| CVE-2007-1788 | 0.00 | — | 0.01 | Mar 31, 2007 | Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request. |
- risk 0.35cvss 5.4epss 0.01
Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to…
- risk 0.35cvss 5.4epss 0.01
Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl.
- CVE-2006-0714Feb 15, 2006risk 0.04cvss —epss 0.08
Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the adodbpath parameter.
- CVE-2012-1058Feb 14, 2012risk 0.03cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Flyspray 0.9.9.6 allows remote attackers to hijack the authentication of admins for requests that add admin accounts via an admin.newuser action to index.php.
- CVE-2006-6203Dec 1, 2006risk 0.03cvss —epss 0.03
Directory traversal vulnerability in startdown.php in the Flyspray ME 1.0.1 (com_flyspray) component for Mambo allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
- CVE-2005-3334Oct 27, 2005risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in index.php in Flyspray 0.9.7 through 0.9.8 (devel) allows remote attackers to inject arbitrary web script or HTML via the (1) PHPSESSID, (2) task, (3) string, (4) type, (5) serv, (6) due, (7) dev, and (8) sort2 parameters.
- CVE-2008-1166Mar 5, 2008risk 0.00cvss —epss 0.01
Flyspray 0.9.9.4 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames.
- CVE-2008-1165Mar 5, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Flyspray 0.9.9 through 0.9.9.4 allow remote attackers to inject arbitrary web script or HTML via (1) a forced SQL error message or (2) old_value and new_value database fields in task summaries, related to the item_summary…
- CVE-2007-6461Dec 20, 2007risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details…
- CVE-2007-1789Mar 31, 2007risk 0.00cvss —epss 0.01
Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests.
- CVE-2007-1788Mar 31, 2007risk 0.00cvss —epss 0.01
Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request.