oss-sec mailing list archives

RE: Re: CVE request: XSS in MantisBT

From: "P Richards" <paul () mantisforge org>
Date: Mon, 16 Feb 2015 09:59:13 -0000

As the initial discoverer of CVE-2014-8986, I can confirm that the commit in
e326b73a does not fix the issue reported in CVE-2014-8986.

The commit
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02c
ef41bf40 does fix CVE-2014-8986.

@mitre: The description @
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8986 is incorrect -
"MantisBT 1.2.13 through 1.2.17". The issue described in CVE-2014-8986 was
not fixed in either 1.2.18 or .1.2.19. How does one get the status of this
issue updated?

Thanks
Paul

-----Original Message-----
From: Damien Regad [mailto:dregad () mantisbt org] 
Sent: 16 February 2015 09:53
To: oss-security () lists openwall com
Subject: [oss-security] Re: CVE request: XSS in MantisBT

P Richards <paul@...> writes:


According to github
https://github.com/mantisbt/mantisbt/commit/cabacdc2
the fix referenced for CVE-2014-8986 has never been tagged to a 1.2.x 
release.


It would help if you looked at the 1.2.x commit...

http://github.com/mantisbt/mantisbt/commit/e326b73a

$ git describe --contains e326b73a
release-1.2.18~27

Current thread:

CVE request: XSS in MantisBT Damien Regad (Feb 09)
- RE: CVE request: XSS in MantisBT P Richards (Feb 09)
  - Re: CVE request: XSS in MantisBT Damien Regad (Feb 13)
    - RE: Re: CVE request: XSS in MantisBT P Richards (Feb 13)
    - Re: CVE request: XSS in MantisBT Damien Regad (Feb 16)
    - RE: Re: CVE request: XSS in MantisBT P Richards (Feb 16)
    - Re: CVE request: XSS in MantisBT Damien Regad (Feb 16)
- Re: CVE request: XSS in MantisBT cve-assign (Feb 20)
  - RE: CVE request: XSS in MantisBT P Richards (Feb 21)
    - Re: CVE request: XSS in MantisBT cve-assign (Feb 21)