oss-sec mailing list archives
Re: CVE Request: MantisBT before 1.2.16 XSS vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 22 Oct 2013 20:05:40 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/21/2013 04:26 PM, Damien Regad wrote:
Greetings Roland Becker (MantisBT developer) discovered and fixed [1] an XSS vulnerability issue affecting MantisBT releases 1.0.0 to 1.2.15 included. Account_sponsor_page.php.php did not correctly sanitize project names, enabling a malicious user to execute malicious JavaScript when visiting that page. The criticality of this issue is compounded by the fact that a high-privilege account (typically project manager or administrator) is required to edit project names. Patches attached to [1]. Can you please assign a CVE ID to this issue ? Thank you D. Regad MantisBT Developer http://mantisbt.org/ [1] http://www.mantisbt.org/bugs/view.php?id=16513 BCC: mantisbt-dev () lists sourceforge net
Please use CVE-2013-4460 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSZy7zAAoJEBYNRVNeJnmTJbQQAKtmOfKLuorxnrgvX+1lApw9 FWmvTBG03WTYhERpP7TCLAMFn2PEdna4/7prfcxUswR09RaJnsc1ThwynNFvbi5H rv2N53RvieD8tHVpFRI3z0STLXshe8E61WaSRW2anZDsw3Bcj0sVLrbv4MF3Suhr GtueiO73KF229e4DpY1jpXCLMgJiruQYAdG+1DVbFm94eM5D4JkWIln0rkJHLE0Y 7AdJ7GN+It3UaXhkPEwE9xZ2pdvO0koSpGPYLjLJxLIYV6v2HTNtidMCgHONVI6e nsxKymufL6RnuR5ycb3vP2Y/5GEUhnXCQZftziDtYAWiB2bBG9PoCdJJGsMm9wAH YsyZfMqf28wcpZ1U/YY5XuOVDUCWNEnnjDKZH95i5pZmKXZhhUb3+kg4v9BJhYGw nsLKkHT2F/lJEbZecDtf/G3xrAmBgptc/76+fZSoqCb/1JvlMrFsCYiXMBr5W69j ItOlc2rwrbinU0KhjW+U53KvT2EekrTkc4XHOYo1W56jG4Byse6RtrAcZRxDt/gt u597YrsXb9ImJFhwSA80Lq7MmjBLX34TyedvtM7sCe2U2NK5bOvwZMn57R5HOCxe uGytwgmRtY04FHbziDkAYpSbuW8Apn6/38NbFThZeZrgOR7dQWaXvfLJxRUeNo/8 grYD/r1nVF6aENVOfgc7 =OwHh -----END PGP SIGNATURE-----
Current thread:
- CVE Request: MantisBT before 1.2.16 XSS vulnerability Damien Regad (Oct 22)
- Re: CVE Request: MantisBT before 1.2.16 XSS vulnerability Kurt Seifried (Oct 22)