Re: Multiple CVE requests for MantisBT

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/04/2013 05:17 PM, Damien Regad wrote:
> Greetings,
>
> The following 4 issues were discovered in the Mantis Bug Tracker:
>
>
> 1. Close button available to users despite workflow restrictions
>
> This issue affects Mantis 1.2.12 and later.
>
> It allows low-privileged users to close issues even though the
> workflow settings do not permit it.
>
> Reference: http://www.mantisbt.org/bugs/view.php?id=15453

Please use CVE-2013-1930 for this issue.

> 2. XSS vulnerability when deleting a version
>
> This issue affects Mantis 1.2.14 only.
>
> Arbitrary JavaScript could be executed in the client's browser when
> deleting a version containing embedded code in its name. The
> criticality of this issue is compounded by the fact that a
> high-privilege account (typically project manager or administrator)
> is required to both to create and delete a version.
>
> Reference: http://www.mantisbt.org/bugs/view.php?id=15511

Please use CVE-2013-1931 for this issue.

> 3. XSS vulnerability on Configuration Report page
>
> This issue affects Mantis 1.2.13 only [1].
>
> If the system defines a Project containing embedded JavaScript code
> in its name, that code would be executed in the client's browser
> when displaying the configuration report page
> (adm_config_report.php).
>
> The severity of this issue is mitigated by the need to have a 
> high-privileged account both to set the project's name and to
> access the configuration report page.
>
> Reference: http://www.mantisbt.org/bugs/view.php?id=15415

Please use CVE-2013-1932 for this issue.

> 4. XSS issue on Configuration Report page when displaying complex
> value
>
> This issue affects Mantis 1.2.0rc1 and later.
>
> Lack of proper string escaping allows users (having admin access)
> to enter arbitrary javascript code and have it executed on the
> user's browser.
>
> Reference: http://www.mantisbt.org/bugs/view.php?id=15416

Does this count as a proper release or does it fall into the "beta"
classification?

> Issues resolution:
>
> - 1 & 2 will be fixed in upcoming release 1.2.15, expected to go
> live sometime next week (patches are available in the referenced
> issues)
>
> - 3 & 4 were both resolved in version 1.2.14, released on
> 29-Jan-2013
>
>
> Could you kindly assign CVEs for the above issues ? Thanks in
> advance.
>
>
> Best regards, D. Regad MantisBT Developer http://www.mantisbt.org
>
> [1] MantisBT version 1.2.13 was tagged in the repository but never
> formally released, as we discovered several critical issues at the
> last minute and decided to pull it and released 1.2.14 a week later
> instead.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRX2fAAAoJEBYNRVNeJnmTPp4P/Rr4LuoQagM3dEgb+AsOJS04
aN/EjKNJ70IEjYge2B2k3AxwdAWJAm0C+w27caR/yx+1kxptH31eE5CGyUUbGS95
kfizE9eIhUufMt97xIV9Mnazfbkk5/faRL5SvgcZmvI2us6RmTROrElND9kpe8eM
vsfb65SgdnrSCMBmltOYo61o0JgnIsJ9ElpOkyhGySeZbIDlwh9TpITmWdgVF0u1
PeXS28jjwm0cQgHYUkdT38MjzS3MV0pJyYaIlY31ifAQVcY4UnzNrn5oV07WuLZ/
YHgM3e/gbnPvVDg052VKjK7uY+OMnohSLB7j+LuEni7i+VmW8vJh6ntdB0Qvjl9D
lktmvw0ulq6xN175JiOib3v7WhxF6TZYQmuLiTE+3ZGsu+Yt5bvfS6zQkYJE3o2t
DO8wwudt9QC3H+HxFgTVh8ystDxbzorgxci34vq9cOGogGzEWBWNIc9NVjpiiCaK
DakOsFVOmwrzeeZpChYtvECl3x36lI1xl/dmvwcci/yTJ/RzYg2h+2tObc5NZgkJ
PY5FTa2hLJNBHO9CdgL0PfR5KZhzilaI8AlpWR4CkYxFOBMCWV572NfeG6LUg2xS
7ZUAe9w0hCAkiVwyAaiJUf9aYngLN/kwVGRJQUK0R+p8cZnl4iYjcIvzLwi5lWcT
Yi9mzFyrPEePbnszIppd
=cV+p
-----END PGP SIGNATURE-----