View Issue Details

IDProjectCategoryView StatusLast Update
0011239mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011239: XSS on view_user_page.php with user Real Name field
Description

Set your real name in "My Account" to something including "<script>alert(42);</script>" and then go to view_issue_page.php. You'll get a Javascript alert message indicating that an XSS vulnerability exists.

TagsNo tags attached.

Relationships

child of 0011234 closeddhx user_ensure_realname_valid() is not checked on account_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x 67ed4313

2009-12-01 01:08

dhx


Details Diff
Fix 0011239: XSS on view_user_page.php with user Real Name field

User real names aren't sanitised before display on view_user_page.php
thus this leads to an XSS vulnerability.
Affected Issues
0011239
mod - view_user_page.php Diff File

MantisBT: master 15b0752a

2009-12-01 01:08

dhx


Details Diff
Fix 0011239: XSS on view_user_page.php with user Real Name field

User real names aren't sanitised before display on view_user_page.php
thus this leads to an XSS vulnerability.
Affected Issues
0011239
mod - view_user_page.php Diff File