View Issue Details

IDProjectCategoryView StatusLast Update
0011260mantisbtsecuritypublic2015-02-20 02:35
Reporterdhx Assigned Todhx  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011260: Attribute/XSS injection in permalink_page.php
Description

HTML attribute injection via:
http://localhost/mantis/permalink_page.php?url=%22%20style=%22display:none%22

This is a possible XSS issue, although <script> tags don't have any direct effect. It's still possible to use CSS to do naughty things.

TagsNo tags attached.

Relationships

related to 0019384 closedatrol Multiple Cross-Site Scripting Vulnerabilities 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x 1740b99c

2009-12-05 09:09

dhx


Details Diff
Fix 0011260: Attribute injection/XSS in permalink_page.php

HTML attribute injection via:
permalink_page.php?url=%22%20style=%22display:none%22

This is a possible XSS issue, although <script> tags don't have any
direct effect. It's still possible to use CSS to do naughty things.
Affected Issues
0011260
mod - permalink_page.php Diff File

MantisBT: master 3363f907

2009-12-05 09:09

dhx


Details Diff
Fix 0011260: Attribute injection/XSS in permalink_page.php

HTML attribute injection via:
permalink_page.php?url=%22%20style=%22display:none%22

This is a possible XSS issue, although <script> tags don't have any
direct effect. It's still possible to use CSS to do naughty things.
Affected Issues
0011260
mod - permalink_page.php Diff File