CVE-2005-4485

Name of the Vulnerable Software and Affected Versions ProjectApp versions 3.3 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters to different API endpoints, including the keywords parameter to "/forums.asp", "/search employees.asp", "/cat.asp", and "/links.asp", the projectid parameter to "/pmprojects.asp", the ret page parameter to "/login.asp", and the skin number parameter to "/default.asp".

Recommendations For ProjectApp versions 3.3 and earlier, update to a version later than 3.3 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints "/forums.asp", "/search employees.asp", "/cat.asp", "/links.asp", "/pmprojects.asp", "/login.asp", and "/default.asp" until a patch is available. Avoid using the parameters keywords, projectid, ret page, and skin number in the affected API endpoints until the issue is resolved.