CVE-2013-3636

ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because of the lack of the HttpOnly cookie flag...

CVE-2013-3636

CVE-2013-3636 affects ProjectPier 0.8.8, describing a remote information disclosure caused by session cookies lacking the HttpOnly flag. Multiple connected sources (NVD, Red Hat, CVE lists, etc.) confirm the weakness and its impact (cookie-based information disclosure) without detailing a patch. ...

CVE-2013-3635

ProjectPier 0.8.8 has stored XSS...

CVE-2013-3635

CVE-2013-3635 affects ProjectPier 0.8.8. The vulnerability is a stored cross-site scripting (XSS) flaw in the application, with the XSS payloads reported in fields such as Contact Name, Contact Company Name, and Contact Description. Multiple connected sources corroborate that this vulnerability c...

ProjectPier Unlimited File Upload Vulnerability

ProjectPier is a free open source project management system . Files plugin is one of the file management plugin . An arbitrary file upload vulnerability exists in ProjectPier 0.88 and previous versions of the Files plugin. A remote attacker can exploit this vulnerability to execute arbitrary PHP...

CVE-2018-10760

Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the tmp directory under the document...

Unrestricted file upload

Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the tmp directory under the document...

CVE-2018-10760

Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the tmp directory under the document...

CVE-2018-10760

Unrestricted file upload vulnerability in the Files plugin in ProjectPier 0.88 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request to the file in the tmp directory under the document...

CVE-2018-10760

CVE-2018-10760 describes an unrestricted file upload vulnerability in ProjectPier's Files plugin (versions 0.88 and earlier). The issue allows remote authenticated users to upload a file with an executable extension and then access it via a direct request to the file in the tmp directory under th...

ProjectPier 0.8.8 SQL Injection / Authentication Bypass / RFI Vulnerabilities

ProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities. "ProjectPier is a Free, Open-Source, PHP application for managing tasks, projects and teams through an intuitive web interface."...

ProjectPier 0.8.8 SQL Injection / Authentication Bypass / RFI

"ProjectPier is a Free, Open-Source, PHP application for managing tasks, projects and teams through an intuitive web interface." https://github.com/Project-Pier https://sourceforge.net/projects/projectpier/ I reached out to the vendor via several channels to report the findings below, but receive...

CVE-2015-2796

Multiple cross-site scripting XSS vulnerabilities in Project-Pier ProjectPier-Core allow remote attackers to inject arbitrary web script or HTML via the searchfor parameter to 1 searchbytag.php, 2 searchcontacts.php, or 3 search.php...

CVE-2015-2796

Project-Pier ProjectPier-Core is affected by multiple XSS vulnerabilities in the search functionality. The issue arises from the search_for parameter being unsafely echoed by three pages: search_by_tag.php, search_contacts.php, and search.php, enabling remote attackers to inject arbitrary web scr...

ProjectPier 0.8 Multiple HTML Injection and Cross-Site Scripting Vulnerabilities

No description provided by source. source: http://www.securityfocus.com/bid/27857/info ProjectPier is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary...

Re: Project Pier Web Vulnerabilities

Mitre has assigned the following CVE's for these issues in Project Pier: XSS: CVE-2013-3635 Session cookies lack HttpOnly flag: CVE-2013-3636 Session cookies lack Secure flag: CVE-2013-3637 On Tue, May 21, 2013 at 9:26 PM, the infinitenigma [email protected] wrote: Summary...

Project Pier 0.8.8 XSS / Insecure Cookies

Summary -------------------- Software : ProjectPier Version : 0.8.8 other versions untested Website : http://www.projectpier.org Issue : XSS stored, Insecure Cookie storage CVSS Base : AV:N/AC:M/Au:S/C:C/I:C/A:N CVSS Score: 7.9 Researcher: Carl Benedict Product Description --------------------...

ProjectPier 0.8.8 Shell Upload

Exploit for php platform in category web applications ProjectPier 0 echo $FILES"file""error" . " " . $FILES"file""name" . " " . $FILES"file""tmpname"; else $folder = rtrim './upload/' . $POST'folder' , '/'; @mkdir$folder, 0777, true; $seq = strpadint $POST"part",4,"0",STRPADLEFT;...

ProjectPier 0.8.8 Shell Upload

ProjectPier 0 echo $FILES"file""error" . " " . $FILES"file""name" . " " . $FILES"file""tmpname"; else $folder = rtrim './upload/' . $POST'folder' , '/'; @mkdir$folder, 0777, true; $seq = strpadint $POST"part",4,"0",STRPADLEFT; moveuploadedfile$FILES"file""tmpname", $folder . '/'...

CVE-2011-3797

ProjectPier 0.8.0.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by public/upgrade/templates/layout.php and certain other files...