GCVE - cpe:2.3:a:achievo:achievo:0.7.2:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:achievo:achievo:0.7.2:*:*:*:*:*:*:*

part: a version: 0.7.2 update: *

Vendor	Achievo (`b431fc0f-318c-5ac2-a0bb-6323ff5f80b2`)
Product	Achievo (`ab15ea88-2f1c-59b4-b377-cc61a88e8c21`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:bitbucket/minghuadev/achievo`	purl2cpe	2026-06-01 10:14:04.446722
`pkg:github/atkphpframework/achievo`	purl2cpe	2026-06-01 10:14:04.446724

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2009-3705`	vulnerable	2026-06-03 14:29:52.835340	Details available PHP remote file inclusion vulnerability in debugger.php in Achievo before 1.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter. Published: 2009-10-16T16:00:00.000Z Updated: 2024-09-16T18:48:54.570Z Open on db.gcve.eu Reference links http://securitytracker.com/id?1023017 http://packetstormsecurity.org/0909-exploits/achievo134-rfi.txt http://www.achievo.org/download/releasenotes/1_4_0	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-2734`	vulnerable	2026-06-03 14:29:42.922628	Details available SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php. Published: 2009-10-16T16:00:00.000Z Updated: 2024-08-07T05:59:57.059Z Open on db.gcve.eu Reference links http://www.securityfocus.com/archive/1/507131/100/0/threaded http://www.securityfocus.com/bid/36660 https://exchange.xforce.ibmcloud.com/vulnerabilities/53743 http://secunia.com/advisories/37035 http://securitytracker.com/id?1023017	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-2733`	vulnerable	2026-06-03 14:29:42.907027	Details available Multiple cross-site scripting (XSS) vulnerabilities in Achievo before 1.4.0 allow remote attackers to inject arbitrary web script or HTML via (1) the scheduler title in the scheduler module, and the (2) atksearch[contractnumber], (3) atksearch_AE_customer[customer], (4) atksearchmode[contracttype], and possibly (5) atksearch[contractname] parameters to the Organization Contracts administration page, reachable through dispatch.php. Published: 2009-10-16T16:00:00.000Z Updated: 2024-08-07T05:59:57.113Z Open on db.gcve.eu Reference links https://exchange.xforce.ibmcloud.com/vulnerabilities/53745 https://exchange.xforce.ibmcloud.com/vulnerabilities/53744 http://secunia.com/advisories/37035 http://securitytracker.com/id?1023017 http://www.securityfocus.com/bid/36661	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2002-1435`	vulnerable	2026-06-03 14:26:16.709566	Details available class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except 0.8.2, allows remote attackers to execute arbitrary PHP code when the 'allow_url_fopen' setting is enabled via a URL in the config_atkroot parameter that points to the code. Published: 2004-09-01T04:00:00.000Z Updated: 2024-08-08T03:26:28.372Z Open on db.gcve.eu Reference links http://archives.neohapsis.com/archives/bugtraq/2002-08/0235.html http://www.achievo.org/lists/2002/Aug/msg00092.html http://www.iss.net/security_center/static/9947.php http://www.securityfocus.com/bid/5552	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.