[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: MantisBT before 1.2.13 =?utf-8?b?bWF0Y2hfdHlwZQ==?= XSS vulnerabilit
From:       Damien Regad <damien.regad () merckgroup ! com>
Date:       2013-01-21 9:07:59
Message-ID: loom.20130121T094544-91 () post ! gmane ! org
[Download RAW message or body]

Kurt Seifried <kseifried@...> writes:
> Please use CVE-2013-0197 for this issue.

Hi Kurt,

Thanks for creating the CVE; please take note of a small rectification on the
original issue report:

David Hicks <d <at> hx.id.au> writes:
> Jakub Galczyk discovered[1][2] a cross site scripting (XSS)
> vulnerability in *MantisBT 1.2.12 and earlier versions* 

This affects *only MantisBT version 1.2.12* (and the 'master'
development branch after 15-Sep-2012), as earlier versions did not contain the
commit introducing the 'match type' filtering feature [1].

It's also worth mentioning that a better patch for the vulnerability is
available under follow-up issue #15388 [2]

Damien Regad
MantisBT developer


[1] 1.2.x branch:  https://github.com/mantisbt/mantisbt/commit/5b491868
    master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72
[2] http://www.mantisbt.org/bugs/view.php?id=15388


[prev in list] [next in list] [prev in thread] [next in thread]