oss-sec mailing list archives
Re: CVE request: MantisBT before 1.2.13 match_type XSS vulnerability
From: Damien Regad <damien.regad () merckgroup com>
Date: Mon, 21 Jan 2013 09:07:59 +0000 (UTC)
Kurt Seifried <kseifried@...> writes:
Please use CVE-2013-0197 for this issue.
Hi Kurt, Thanks for creating the CVE; please take note of a small rectification on the original issue report: David Hicks <d <at> hx.id.au> writes:
Jakub Galczyk discovered[1][2] a cross site scripting (XSS) vulnerability in *MantisBT 1.2.12 and earlier versions*
This affects *only MantisBT version 1.2.12* (and the 'master' development branch after 15-Sep-2012), as earlier versions did not contain the commit introducing the 'match type' filtering feature [1]. It's also worth mentioning that a better patch for the vulnerability is available under follow-up issue #15388 [2] Damien Regad MantisBT developer [1] 1.2.x branch: https://github.com/mantisbt/mantisbt/commit/5b491868 master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72 [2] http://www.mantisbt.org/bugs/view.php?id=15388
Current thread:
- CVE request: MantisBT before 1.2.13 match_type XSS vulnerability David Hicks (Jan 18)
- Re: CVE request: MantisBT before 1.2.13 match_type XSS vulnerability Kurt Seifried (Jan 18)
- Re: CVE request: MantisBT before 1.2.13 match_type XSS vulnerability Damien Regad (Jan 21)
- Re: CVE request: MantisBT before 1.2.13 match_type XSS vulnerability Kurt Seifried (Jan 18)