mailing list archives
Re: CVE request: MantisBT before 1.2.13 match_type XSS vulnerability
From: Damien Regad <damien.regad () merckgroup com>
Date: Mon, 21 Jan 2013 09:07:59 +0000 (UTC)
Kurt Seifried <kseifried () > writes:
Please use CVE-2013-0197 for this issue.
Thanks for creating the CVE; please take note of a small rectification on the
original issue report:
David Hicks <d <at> hx.id.au> writes:
Jakub Galczyk discovered a cross site scripting (XSS)
vulnerability in *MantisBT 1.2.12 and earlier versions*
This affects *only MantisBT version 1.2.12* (and the 'master'
development branch after 15-Sep-2012), as earlier versions did not contain the
commit introducing the 'match type' filtering feature .
It's also worth mentioning that a better patch for the vulnerability is
available under follow-up issue #15388 
 1.2.x branch: https://github.com/mantisbt/mantisbt/commit/5b491868
master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72