View Issue Details

IDProjectCategoryView StatusLast Update
0011238mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011238: XSS on tag_update_page.php with user Real Name field
Description

Set your real name in "My Account" to something including "<script>alert(42);</script>" and then go to tag_update_page.php for a tag that you have created previously. Click the "edit" button next to the tag creator field. You'll get a Javascript alert message indicating that an XSS vulnerability exists.

TagsNo tags attached.

Relationships

child of 0011234 closeddhx user_ensure_realname_valid() is not checked on account_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 93f36d26

2009-12-01 00:55

dhx


Details Diff
Fix 0011238: XSS on tag_update_page.php with user Real Name field

User real name field is not sanitised on tag_update_page.php thus
leading to an XSS vulnerability.
Affected Issues
0011238
mod - tag_update_page.php Diff File

MantisBT: master-1.2.x b1f59933

2009-12-01 00:55

dhx


Details Diff
Fix 0011238: XSS on tag_update_page.php with user Real Name field

User real name field is not sanitised on tag_update_page.php thus
leading to an XSS vulnerability.
Affected Issues
0011238
mod - tag_update_page.php Diff File