CVE-2007-2005

Name of the Vulnerable Software and Affected Versions Taskhopper version 1.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig absolute path parameter to various PHP files, including "contact type.php", "itemstatus type.php", "projectstatus type.php", "request type.php", "responses type.php", "timelog type.php", and "urgency type.php" in the "inc/" directory.

Recommendations For Taskhopper version 1.1, consider restricting access to the mosConfig absolute path parameter to prevent remote file inclusion attacks. As a temporary workaround, restrict access to the affected PHP files in the "inc/" directory until a patch is available. Avoid using the mosConfig absolute path parameter in the affected API endpoints until the issue is resolved.