CVE-2012-5702

Name of the Vulnerable Software and Affected Versions dotProject versions prior to 2.1.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in actions to index.php, including the callback parameter in a color selector action, the field parameter in a date format action, or the company name parameter in an addedit action.

Recommendations For versions prior to 2.1.7, update to version 2.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters callback, field, and company name in their respective actions until a patch is available.