PT-2007-2958 · Phprojekt · Phprojekt

Published

2007-03-21

Updated

2018-10-16

CVE-2007-1575

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PHProjekt version 5.2.0

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is possible due to multiple SQL injection vulnerabilities when the magic quotes gpc setting is disabled. The vulnerabilities are found in the calendar and search modules, as well as in an unspecified cookie when the user logs out.

Recommendations For PHProjekt version 5.2.0, consider disabling the calendar and search modules until a patch is available. Additionally, restrict access to the logout functionality to minimize the risk of exploitation. As a temporary workaround, enable the magic quotes gpc setting to prevent SQL injection attacks.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-1575

Affected Products

Phprojekt

PT-2007-2958 · Phprojekt · Phprojekt

CVE-2007-1575

Related Identifiers

Affected Products

References · 9