CVE-2006-1479

Name of the Vulnerable Software and Affected Versions: Serge Rey gtd-php version 0.5

Description: The issue allows remote attackers to inject arbitrary web script or HTML via various fields, including the Description field in newProject.php, newList.php, and newWaitingOn.php; the Title field in multiple scripts such as newProject.php, newList.php, newWaitingOn.php, newChecklist.php, newContext.php, and newGoal.php; the Category Name field in newCategory.php; the listTitle field in listReport.php; the projectName field in projectReport.php; and the checklistTitle field in checklistReport.php. This can be achieved by exploiting API endpoints such as "newProject.php", "newList.php", and others, by manipulating variables like Description, Title, Category Name, listTitle, projectName, and checklistTitle.

Recommendations: For version 0.5, consider disabling the affected scripts, such as newProject.php, newList.php, and newWaitingOn.php, until a patch is available. Restrict access to the vulnerable fields, including Description, Title, Category Name, listTitle, projectName, and checklistTitle, to minimize the risk of exploitation. Avoid using these fields in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.