Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: MantisBT before 1.2.13 match_type XSS vulnerability
From: Damien Regad <damien.regad () merckgroup com>
Date: Mon, 21 Jan 2013 09:07:59 +0000 (UTC)

Kurt Seifried <kseifried ()    > writes:
Please use CVE-2013-0197 for this issue.

Hi Kurt,

Thanks for creating the CVE; please take note of a small rectification on the
original issue report:

David Hicks <d <at> hx.id.au> writes:
Jakub Galczyk discovered[1][2] a cross site scripting (XSS)
vulnerability in *MantisBT 1.2.12 and earlier versions* 

This affects *only MantisBT version 1.2.12* (and the 'master'
development branch after 15-Sep-2012), as earlier versions did not contain the
commit introducing the 'match type' filtering feature [1].

It's also worth mentioning that a better patch for the vulnerability is
available under follow-up issue #15388 [2]

Damien Regad
MantisBT developer

[1] 1.2.x branch:  https://github.com/mantisbt/mantisbt/commit/5b491868
    master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72
[2] http://www.mantisbt.org/bugs/view.php?id=15388

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]