BugTracker.Net: Several Cross-Site Scripting and SQL-Injection Vulnerabilities 

Users of BugTracker.Net please be advised of Several cross-site scripting and SQL-injection vulnerabilities that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

CORE-2010-1109: [CORE-2010-1109] Multiple vulnerabilities in BugTracker.Net
*Vulnerability Description*

BugTracker.NET [1][2] is an open-source web-based bug tracker written
using ASP.NET, C#, and Microsoft SQL Server. Several cross-site
scripting and SQL-injection vulnerabilities were found in the following
files of the BugTracker.NET:

. *bugs.aspx*. SQL injection in line 141.
. *delete_query.aspx*. No sanitization for ‘row_id.Value’ in line 30.
. *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.
. *edit_bug.aspx*. No sanitization for variable ‘new_project’, line 2214.
. *edit_bug.aspx*. XSS in line 2918.
. *edit_comment.aspx*. XSS in line 233.
. *edit_customfield.aspx*. Lines 165 and 172, no sanitization.
. *edit_user_permissions2.aspx*. XSS in line 40.
. *massedit.aspx*. SQL Injection in line 162.

Read more at http://www.criticalwatch.com