Re: Re: Multiple CVE requests for MantisBT

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/08/2013 03:47 AM, Damien Regad wrote:
> Kurt Seifried <kseifried@...> writes:
> > Please use CVE-2013-1930 for this issue.
>
> Hi Kurt,
>
> Thanks for assigning the 3 CVE's.
>
> > > 4. XSS issue on Configuration Report page when displaying
> > > complex value
> > >
> > > This issue affects Mantis 1.2.0rc1 and later.
> > >
> > > Lack of proper string escaping allows users (having admin
> > > access) to enter arbitrary javascript code and have it executed
> > > on the user's browser.
> > >
> > > Reference: http://www.mantisbt.org/bugs/view.php?id=15416
> >
> > Does this count as a proper release or does it fall into the
> > "beta" classification?
>
> 1.2.0rc1 was a beta release. The first "proper" release affected by
> this was 1.2.0

Ok not assigning a CVE then, unless there are a large number of users
betas don't get CVEs.

> Hope this clarifies, let me know if you need more info.
>
> Damien


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRYverAAoJEBYNRVNeJnmTY7MP/AqImz3OEiHIMEJtdTaIe5f/
d+t9UypinW/nTjV3CCovR93F2om90Z9h891OBWSBvozJdab3NRyHZKFRrjyG275a
6pdVMP9IXrKjxUn30P58JDLc8D9cUZHazE45hXmhLz8UBs44m/rW2TtqTNkuZwqp
9jwrH/PbFZj1rIsWpizY5NJW0dpA34Okj2Kj//GpMSHjzocEpSzw0q9NUSMxij63
WZ2jql+yLihYULjPRF2IeTl+TkhPlmIlhmxitKKt+lV+ZAyR3MAFE5Y2z8WKLiGi
nf/94izFZLUJ1sMlXRRBTlXV4NfR71jElT0M4JBVQW1Ph7mlULA13f30TFEOjCuS
hM4DPMPHyWHp5N2nGDGizkh1b99JBawUkMpPOAMlDEJYnwZVar70UgCzoKpjsbuc
3Yo0s8mS+DdOOWz3oOpaf+PImaFgHfrxgkIyEB/PuIja27vo7aYV/7gYjSeSqn5x
9sV+4tFD3vLsI7E5KPYGG7s8w/JYw7mfBUnYLJLuOuLu+YpqkTj4ooM/YZNYjHk2
CoJ4gZMwdeHy6i+MlqCThUthb99xcnVbXhwF5b3in4We0LmCOzmpV9do+wj1VA+L
HW6JtoaszYaJ0vkLknPwHjuq5eIn0UkSm7EKjVgzfjgbyjMj/PMEnh/YPewSvRyE
MfUeMokQsR54xX0d8HOb
=uiSE
-----END PGP SIGNATURE-----