flyspray 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、vendor risk csrf, and パス処理の欠陥 があり、vendor surface production workloads and vendor surface software deployment の利用場面で vendor impact session compromise and ファイル上書き などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2017-15214 | Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to plugins/dokuwiki/lib/plugins/changelinks/syntax.php. | [email protected] | 5.4 | 0.86% | 2017-10-11 | 2026-05-13 |
| CVE-2017-15213 | Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl. | [email protected] | 5.4 | 0.80% | 2017-10-11 | 2026-05-13 |
| CVE-2012-1058 | Cross-site request forgery (CSRF) vulnerability in Flyspray 0.9.9.6 allows remote attackers to hijack the authentication of admins for requests that add admin accounts via an admin.newuser action to index.php. | [email protected] | 6.0 | 0.94% | 2012-02-14 | 2026-04-29 |
| CVE-2008-1166 | Flyspray 0.9.9.4 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames. | [email protected] | 5.0 | 1.21% | 2008-03-05 | 2026-04-23 |
| CVE-2008-1165 | Multiple cross-site scripting (XSS) vulnerabilities in Flyspray 0.9.9 through 0.9.9.4 allow remote attackers to inject arbitrary web script or HTML via (1) a forced SQL error message or (2) old_value and new_value database fields in task summaries, related to the item_summary parameter in a details action in index.php. NOTE: some of these details are obtained from third party information. | [email protected] | 4.3 | 1.02% | 2008-03-05 | 2026-04-23 |
| CVE-2007-6461 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flyspray 0.9.9 through 0.9.9.3 allow remote attackers to inject arbitrary web script or HTML via (1) the query string in an index action, related to the savesearch JavaScript function; and (2) the details parameter in a details action, related to the History tab and the getHistory JavaScript function. | [email protected] | 4.3 | 1.06% | 2007-12-20 | 2026-04-23 |
| CVE-2007-1789 | Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests. | [email protected] | 6.8 | 1.23% | 2007-03-31 | 2026-04-23 |
| CVE-2007-1788 | Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request. | [email protected] | 6.8 | 1.26% | 2007-03-31 | 2026-04-23 |
| CVE-2006-0714 | Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the adodbpath parameter. | [email protected] | 5.0 | 7.59% | 2006-02-15 | 2026-04-16 |
| CVE-2005-3334 | Cross-site scripting (XSS) vulnerability in index.php in Flyspray 0.9.7 through 0.9.8 (devel) allows remote attackers to inject arbitrary web script or HTML via the (1) PHPSESSID, (2) task, (3) string, (4) type, (5) serv, (6) due, (7) dev, and (8) sort2 parameters. | [email protected] | 4.3 | 4.64% | 2005-10-27 | 2026-04-16 |