BugTracker.Net: Multiple Vulnerabilities

vulnerability management 12:28 pm on December 4, 2010 Permalink Reply
Tags: aspx ( 2 ), bugtracker ( 3 ), BugTracker.Net, critical watch ( 900 ), sanitization ( 3 ), vulnerabilities ( 108 ), vulnerability ( 725 ), vulnerability management ( 512 )   

Users of BugTracker.Net please be advised of Multiple vulnerabilities that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

Amplify’d from http://www.criticalwatch.com

CORE-2010-1109: [CORE-2010-1109] Multiple vulnerabilities in BugTracker.Net

*Vulnerability Description* BugTracker.NET [1][2] is an open-source web-based bug tracker written using ASP.NET, C#, and Microsoft SQL Server. Several cross-site scripting and SQL-injection vulnerabilities were found in the following files of the BugTracker.NET: . *bugs.aspx*. SQL injection in line 141. . *delete_query.aspx*. No sanitization for ‘row_id.Value’ in line 30. . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857. . *edit_bug.aspx*. No sanitization for variable ‘new_project’, line 2214. . *edit_bug.aspx*. XSS in line 2918. . *edit_comment.aspx*. XSS in line 233. . *edit_customfield.aspx*. Lines 165 and 172, no sanitization. . *edit_user_permissions2.aspx*. XSS in line 40. . *massedit.aspx*. SQL Injection in line 162. Read more at http://www.criticalwatch.com

 

See this Amp at http://bit.ly/gNT2lW