Multiple eval injection vulnerabilities in itpm_estimate.php in Yoxel 1.23beta and earlier allow remote authenticated users to execute arbitrary PHP code via the proj_id parameter.
Exploitability
AV:NAC:LAu:SImpact
C:CI:CA:C9/AV:N/AC:L/Au:S/C:C/I:C/A:C