Re: Re: Multiple CVE requests for MantisBT

[Damien Regad <damien.regad () merckgroup com>]

Kurt Seifried <kseifried () redhat com>
 Wrote in message:

> > > > > 4. XSS issue on Configuration Report page when displaying 
> > > > > complex value
> > > > >
> > > > > This issue affects Mantis 1.2.0rc1 and later.
> > > > >
> > > > > Lack of proper string escaping allows users (having admin 
> > > > > access) to enter arbitrary javascript code and have it
> > > > > executed on the user's browser.
> > > > >
> > > > > Reference: http://www.mantisbt.org/bugs/view.php?id=15416
> > > >
> > > > Does this count as a proper release or does it fall into the 
> > > > "beta" classification?
> >
> > > 1.2.0rc1 was a beta release. The first "proper" release affected
> > > by this was 1.2.0
> >
> > Ok not assigning a CVE then, unless there are a large number of
> > users betas don't get CVEs.
>
> Steve just pointed out I may have misread this. Is 1.2.0 vulnerable,
> and this is fixed in 1.2.1, or was it fixed in the 1.2.0 release (so
> ONLY 1.2.0-rc1 was affected)?

Not sure who Steve is, but he is absolutely correct - this affects
 all versions of Mantis *starting* with rc1 and until 1.2.13
 included, so definitely non-beta releases are vulnerable.