CVE-2010-3266

Name of the Vulnerable Software and Affected Versions BugTracker.NET versions prior to 3.4.5

Description The issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via several parameters, including pcd in the "edit bug.aspx" endpoint, bug id in the "edit comment.aspx" endpoint, id in the "edit user permissions2.aspx" endpoint, or default name in the "edit customfield.aspx" endpoint.

Recommendations For versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected endpoints, such as "edit bug.aspx", "edit comment.aspx", "edit user permissions2.aspx", and "edit customfield.aspx", until the update is applied. Avoid using the vulnerable parameters pcd, bug id, id, and default name in the respective endpoints until the issue is resolved.