[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: MantisBT before 1.2.16 XSS vulnerability
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-10-23 2:05:40
Message-ID: 52672EF4.8060802 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2013 04:26 PM, Damien Regad wrote:
> Greetings
> 
> Roland Becker (MantisBT developer) discovered and fixed [1] an XSS 
> vulnerability issue affecting MantisBT releases 1.0.0 to 1.2.15
> included.
> 
> Account_sponsor_page.php.php did not correctly sanitize project
> names, enabling a malicious user to execute malicious JavaScript
> when visiting that page.
> 
> The criticality of this issue is compounded by the fact that a 
> high-privilege account (typically project manager or administrator)
> is required to edit project names.
> 
> Patches attached to [1]. Can you please assign a CVE ID to this
> issue ?
> 
> Thank you
> 
> D. Regad MantisBT Developer http://mantisbt.org/
> 
> [1] http://www.mantisbt.org/bugs/view.php?id=16513
> 
> BCC: mantisbt-dev@lists.sourceforge.net
> 

Please use CVE-2013-4460 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSZy7zAAoJEBYNRVNeJnmTJbQQAKtmOfKLuorxnrgvX+1lApw9
FWmvTBG03WTYhERpP7TCLAMFn2PEdna4/7prfcxUswR09RaJnsc1ThwynNFvbi5H
rv2N53RvieD8tHVpFRI3z0STLXshe8E61WaSRW2anZDsw3Bcj0sVLrbv4MF3Suhr
GtueiO73KF229e4DpY1jpXCLMgJiruQYAdG+1DVbFm94eM5D4JkWIln0rkJHLE0Y
7AdJ7GN+It3UaXhkPEwE9xZ2pdvO0koSpGPYLjLJxLIYV6v2HTNtidMCgHONVI6e
nsxKymufL6RnuR5ycb3vP2Y/5GEUhnXCQZftziDtYAWiB2bBG9PoCdJJGsMm9wAH
YsyZfMqf28wcpZ1U/YY5XuOVDUCWNEnnjDKZH95i5pZmKXZhhUb3+kg4v9BJhYGw
nsLKkHT2F/lJEbZecDtf/G3xrAmBgptc/76+fZSoqCb/1JvlMrFsCYiXMBr5W69j
ItOlc2rwrbinU0KhjW+U53KvT2EekrTkc4XHOYo1W56jG4Byse6RtrAcZRxDt/gt
u597YrsXb9ImJFhwSA80Lq7MmjBLX34TyedvtM7sCe2U2NK5bOvwZMn57R5HOCxe
uGytwgmRtY04FHbziDkAYpSbuW8Apn6/38NbFThZeZrgOR7dQWaXvfLJxRUeNo/8
grYD/r1nVF6aENVOfgc7
=OwHh
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic