mailing list archives
Re: CVE request: MantisBT 1.2.12 only summary.php category/project names XSS vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 02 Mar 2013 20:44:07 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 03/01/2013 11:31 AM, Salvatore Bonaccorso wrote:
Noticed that this ruequest did not got a CVE. Can one be assigned?
Note that this only seems to affect exactly one version 1.2.12:
On Sat, Jan 19, 2013 at 10:21:11AM +1100, David Hicks wrote:
Roland Becker (MantisBT Developer) discovered a XSS
vulnerability introduced in MantisBT 1.2.12 with the display of
category/project names on the summary.php page. Versions of
MantisBT other than 1.2.12 are not affected by this
A malicious MantisBT user holding privileged
manager/administrator permissions could create a category or
summary.php from that point on may then be exposed to having the
The severity of this issue is limited by the need to hold
privileged manager/administrator permissions in order to modify
category and project names. However -- there are many use cases
where MantisBT installations can have hundreds of sub-projects,
each managed by different people/parties that can not or should
not be fully trusted.
Refer to previous commits 3ca8a164 and 6ec3f693 to trace
back the origin of this vulnerability.
References:  http://www.mantisbt.org/bugs/view.php?id=15384
Discussion on the MantisBT Developer Mailing List has indicated that a
release of MantisBT 1.2.13 (resolving both this vulnerability
and CVE-2013-0197 which was announced on this list ~12 hours ago)
will not occur until early next week. As such, a patch is
attached for distributions packaging MantisBT 1.2.12. It is
recommended this patch be applied as soon as possible.
Can a CVE ID please be assigned to this issue?
Please use CVE-2013-1810 for this issue.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----