[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: MantisBT before 1.2.16 XSS vulnerability
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-10-23 2:05:40
Message-ID: 52672EF4.8060802 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/21/2013 04:26 PM, Damien Regad wrote:
> Greetings
>
> Roland Becker (MantisBT developer) discovered and fixed [1] an XSS
> vulnerability issue affecting MantisBT releases 1.0.0 to 1.2.15
> included.
>
> Account_sponsor_page.php.php did not correctly sanitize project
> names, enabling a malicious user to execute malicious JavaScript
> when visiting that page.
>
> The criticality of this issue is compounded by the fact that a
> high-privilege account (typically project manager or administrator)
> is required to edit project names.
>
> Patches attached to [1]. Can you please assign a CVE ID to this
> issue ?
>
> Thank you
>
> D. Regad MantisBT Developer http://mantisbt.org/
>
> [1] http://www.mantisbt.org/bugs/view.php?id=16513
>
> BCC: mantisbt-dev@lists.sourceforge.net
>
Please use CVE-2013-4460 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJSZy7zAAoJEBYNRVNeJnmTJbQQAKtmOfKLuorxnrgvX+1lApw9
FWmvTBG03WTYhERpP7TCLAMFn2PEdna4/7prfcxUswR09RaJnsc1ThwynNFvbi5H
rv2N53RvieD8tHVpFRI3z0STLXshe8E61WaSRW2anZDsw3Bcj0sVLrbv4MF3Suhr
GtueiO73KF229e4DpY1jpXCLMgJiruQYAdG+1DVbFm94eM5D4JkWIln0rkJHLE0Y
7AdJ7GN+It3UaXhkPEwE9xZ2pdvO0koSpGPYLjLJxLIYV6v2HTNtidMCgHONVI6e
nsxKymufL6RnuR5ycb3vP2Y/5GEUhnXCQZftziDtYAWiB2bBG9PoCdJJGsMm9wAH
YsyZfMqf28wcpZ1U/YY5XuOVDUCWNEnnjDKZH95i5pZmKXZhhUb3+kg4v9BJhYGw
nsLKkHT2F/lJEbZecDtf/G3xrAmBgptc/76+fZSoqCb/1JvlMrFsCYiXMBr5W69j
ItOlc2rwrbinU0KhjW+U53KvT2EekrTkc4XHOYo1W56jG4Byse6RtrAcZRxDt/gt
u597YrsXb9ImJFhwSA80Lq7MmjBLX34TyedvtM7sCe2U2NK5bOvwZMn57R5HOCxe
uGytwgmRtY04FHbziDkAYpSbuW8Apn6/38NbFThZeZrgOR7dQWaXvfLJxRUeNo/8
grYD/r1nVF6aENVOfgc7
=OwHh
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic