oss-sec mailing list archives
CVE Request: XSS vulnerability in MantisBT 1.2.13
From: Damien Regad <dregad () mantisbt org>
Date: Fri, 14 Nov 2014 23:29:53 +0100
Please assign a CVE ID for the following issue. Description:The MantisBT Configuration Report page (adm_config_report.php) did not escape a parameter before displaying it on the page, allowing an attacker to execute arbitrary JavaScript code.
The severity of this issue is mitigated by the need to have a high-privileged account (by default, administrator) to access the configuration report page.
Affected versions: >= 1.2.13, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit:Issue was discovered by Alejo Popovici and fixed by Damien Regad (MantisBT Developer)
References: Further details available in our issue tracker [2] D. Regad MantisBT Developer http://www.mantisbt.org [1] http://github.com/mantisbt/mantisbt/commit/ee8100d6 [2] http://www.mantisbt.org/bugs/view.php?id=17870
Current thread:
- CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 14)
- RE: CVE Request: XSS vulnerability in MantisBT 1.2.13 P Richards (Nov 14)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
- Re: Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Paul Richards (Nov 15)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 19)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
- RE: CVE Request: XSS vulnerability in MantisBT 1.2.13 P Richards (Nov 14)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 cve-assign (Nov 19)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 22)