CVE-2008-3887

Name of the Vulnerable Software and Affected Versions dotProject version 2.1.2

Description The issue concerns SQL injection vulnerabilities in the index.php file of dotProject. Specifically, it allows remote authenticated users to execute arbitrary SQL commands via the tab parameter in a "projects" action. Additionally, remote authenticated administrators can execute arbitrary SQL commands via the user id parameter in a "viewuser" action.

Recommendations For dotProject version 2.1.2, update to a version that addresses these SQL injection vulnerabilities to prevent the execution of arbitrary SQL commands. As a temporary workaround, consider restricting access to the "projects" and "viewuser" actions in index.php to minimize the risk of exploitation. Avoid using the tab and user id parameters in the affected actions until the issue is resolved.