MySQL Eventum Issue / Bug Tracking System
MySQL Eventum 1.3.1 contains multiple multiple cross site scripting (XSS) vulnerabilities.
MySQL Eventum 1.3.1
The Eventum bug tracking system has multiple variables that do not filter user supplied input. This could allow an attacker to perform Cross Site Scripting (XSS)
XSS is possible in the following pages/fields:
The preferences.php will save the XSS values and display them to any user that views the user's information (i.e., and administrator). These fields are
escaped to prevent SQL injection attacks.
MySQL reports Eventum release 1.4 resolves these issues.
MySQL was notified on 12/28/2004. The MySQL bug report system immediately makes issues public, which is why this release coincides with vendor disclosure.
Updated information can be found on OSVDB.org under the following entries:
|OSVDB-12606||MySQL Eventum index.php XSS|
|OSVDB-12607||MySQL Eventum forgot_password.php XSS|
|OSVDB-12608||MySQL Eventum preferences.php XSS|
|OSVDB-12609||MySQL Eventum projects.php XSS|