View Issue Details

IDProjectCategoryView StatusLast Update
0011237mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011237: XSS on tag_view_page.php with user Real Name field
Description

Set your real name in "My Account" to something including "<script>alert(42);</script>" and then go to tag_view_page.php for a tag that you have created previously. You'll get a bunch of Javascript alert messages indicating that an XSS vulnerability exists.

TagsNo tags attached.

Relationships

child of 0011234 closeddhx user_ensure_realname_valid() is not checked on account_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 01270e48

2009-12-01 00:50

dhx


Details Diff
Fix 0011237: XSS on tag_view_page.php with user Real Name field

The user real name field is not sanitised before being printed on
tag_view_page.php thus exposing an XSS vulnerability.
Affected Issues
0011237
mod - tag_view_page.php Diff File

MantisBT: master-1.2.x 8491dbdf

2009-12-01 00:50

dhx


Details Diff
Fix 0011237: XSS on tag_view_page.php with user Real Name field

The user real name field is not sanitised before being printed on
tag_view_page.php thus exposing an XSS vulnerability.
Affected Issues
0011237
mod - tag_view_page.php Diff File