ID de Prueba:	1.3.6.1.4.1.25623.1.0.902407
Categoría:	Web application abuses
Título:	BugTracker.NET Cross-Site Scripting and SQL Injection Vulnerabilities
Resumen:	BugTracker.NET is prone to cross-site scripting and SQL injection vulnerabilities.
Descripción:	Summary: BugTracker.NET is prone to cross-site scripting and SQL injection vulnerabilities. Vulnerability Insight: The flaws are due to: - Input passed to the 'pcd' parameter in edit_bug.aspx, 'bug_id' parameter in edit_comment.aspx, 'default_name' parameter in edit_customfield.aspx, and 'id' parameter in edit_user_permissions2.aspx is not properly sanitised before being returned to the user. - Input passed via the 'qu_id' parameter to bugs.aspx, 'row_id' parameter to delete_query.aspx, 'us_id' and 'new_project' parameters to edit_bug.aspx, and 'bug_list' parameter to massedit.aspx is not properly sanitised before being used in a SQL query. Vulnerability Impact: Successful exploitation will allow attacker to cause SQL Injection attack and to conduct cross-site scripting attacks. Affected Software/OS: BugTracker.NET version prior to 3.4.5. Solution: Upgrade to BugTracker.NET version 3.4.5 or later. CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2010-3266 BugTraq ID: 45121 http://www.securityfocus.com/bid/45121 Bugtraq: 20101130 CORE-2010-1109 - Multiple vulnerabilities in BugTracker.Net (Google Search) http://www.securityfocus.com/archive/1/514957/100/0/threaded http://www.exploit-db.com/exploits/15653 http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker http://secunia.com/advisories/42418 Common Vulnerability Exposure (CVE) ID: CVE-2010-3267
Copyright	Copyright (C) 2011 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.