oss-sec mailing list archives
Re: CVE request: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability
From: Josh Bressers <bressers () redhat com>
Date: Thu, 16 Dec 2010 08:58:34 -0500 (EST)
Please use CVE-2010-4348 for the XSS. CVE-2010-4349 for the path disclosure. Thanks. -- JB ----- "David Hicks" <hickseydr () optusnet com au> wrote:
This is a CVE request for a vulnerability discovered in MantisBT <1.2.4 by Gjoko Krstic of Zero Science Lab as per the following advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php MantisBT 1.2.4 has been released to resolve this issue. For distributions or users using MantisBT 1.1.x, the following patch can be applied: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590 Please note that MantisBT 1.1.x is not recommended for use due to many security improvements and features implemented in MantisBT 1.2.x (but not backported to 1.1.x). Detailed information about this vulnerability can be found in this bug report: http://www.mantisbt.org/bugs/view.php?id=12607 Regards, David Hicks MantisBT Developer mantisbt.org, #mantishelp freenode
Current thread:
- CVE request: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability David Hicks (Dec 15)
- Re: CVE request: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability Josh Bressers (Dec 16)