Input passed to the "inactive" parameter in index.php (when "m" is set to "tasks"), "date" in index.php (when "m" is set to "calendar" and "a" to "day_view"), "callback" in index.php (when "m" is set to "public", "a" is set to "calendar", and "dialog" is set to "1"), and "type" in index.php (when "m" is set to "ticketsmith") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Input passed to the "event_title" and "event_description" parameters in index.php (when "m" is set to "calendar") is not properly sanitised before being used. This can exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site if the malicious event is viewed. 5) Input passed to the "company_name", "company_email", "company_phone1", "company_phone2", "company_fax", "company_address1", "company_address2", "company_city", "company_state", "company_zip", "company_primary_url", and "company_description" parameters in index.php (when "m" is set to "companies") is not properly sanitised before being used. This can exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site if the malicious company details are viewed.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Unknown or Incomplete

• CVE ID: 2008-3886 (see also: NVD)
• Secunia Advisory ID: 31681
• Related OSVDB ID: 47843
• Other Advisory URL: http://holisticinfosec.org/content/view/105/45/
  http://packetstorm.linuxsecurity.com/0808-exploits/dotproject-sqlxss.txt
• Vendor URL: http://www.dotproject.net/

• Russ McRee - holisticinfosec.org