View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011233 | mantisbt | security | public | 2009-11-30 23:57 | 2010-02-22 14:34 |
Reporter | dhx | Assigned To | dhx | ||
Priority | urgent | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.0 | Fixed in Version | 1.2.0 | ||
Summary | 0011233: XSS on adm_config_report.php with user Real Name field | ||||
Description | As an administrator, set your real name in "My Account" to something including "<script>alert(42);</script>" and then go to adm_config_report.php There will be multiple Javascript alerts that pop up due to unsanitised printing of the "Real Name" field for user accounts. | ||||
Tags | No tags attached. | ||||
MantisBT: master a49cc3ce 2009-12-01 00:31 Details Diff |
Fix 0011233: XSS on adm_config_report.php with user Real Name field User real names were not sanitised on adm_config_report.php thus leading to XSS attacks against those with permission to access the configuration of a Mantis installation (typcially Administrators only). |
Affected Issues 0011233 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master-1.2.x 92561bce 2009-12-01 00:31 Details Diff |
Fix 0011233: XSS on adm_config_report.php with user Real Name field User real names were not sanitised on adm_config_report.php thus leading to XSS attacks against those with permission to access the configuration of a Mantis installation (typcially Administrators only). |
Affected Issues 0011233 |
|
mod - adm_config_report.php | Diff File |