MantisBT
Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories
  

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012230mantisbtsecuritypublic2010-08-04 09:132011-08-02 12:35
Reporterjreese 
Assigned Todhx 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012230: XSS vulnerability when deleting maliciously named categories
DescriptionAs reported by Secunia, SA40832, there is an XSS vulnerability when deleting categories that have been maliciously named. Chance of attack is extremely low due to requiring project manager access.
Additional InformationOfficial Secunia announcement: http://secunia.com/advisories/40832/ [^]
TagsNo tags attached.
Attached Files

- Relationships
related to 0012231closeddhx XSS vulnerability when uninstalling maliciously named plugins 
related to 0012369closedgiallu XSS vulnerability when deleting maliciously named categories 

-  Notes
User avatar (0026211)
dhx (developer)
2010-08-04 09:28

 All fixed, thanks John :)
User avatar (0026236)
jreese (administrator)
2010-08-05 18:13
edited on: 2010-08-05 18:21

 Official Secunia announcement: http://secunia.com/advisories/40832/ [^]
User avatar (0026578)
oberger (reporter)
2010-09-04 17:31

 For future reference, this is also CVE-2010-2574 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574 [^])

- Related Changesets
MantisBT: master 083c34f0
Timestamp: 2010-08-04 13:17:54
Author: dhx
Details ] Diff ] 		Fix 0012230: XSS vulnerability when deleting maliciously named categories

As reported by Secunia, SA40832, there is an XSS vulnerability when
deleting project categories that have been maliciously named. The chance
of attack is low due to requiring project manager access to create
malicious project categories in the first place.

Thanks to John Reese for debugging this issue.
mod - manage_proj_cat_delete.php Diff ] File ]
MantisBT: master-1.2.x a374a7c9
Timestamp: 2010-08-04 13:17:54
Author: dhx
Details ] Diff ] 		Fix 0012230: XSS vulnerability when deleting maliciously named categories

As reported by Secunia, SA40832, there is an XSS vulnerability when
deleting project categories that have been maliciously named. The chance
of attack is low due to requiring project manager access to create
malicious project categories in the first place.

Thanks to John Reese for debugging this issue.
mod - manage_proj_cat_delete.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-08-04 09:13 jreese New Issue
2010-08-04 09:13 jreese Status new => assigned
2010-08-04 09:13 jreese Assigned To => dhx
2010-08-04 09:15 jreese Issue cloned: 0012231
2010-08-04 09:15 jreese Relationship added related to 0012231
2010-08-04 09:28 dhx Changeset attached => MantisBT master 083c34f0
2010-08-04 09:28 dhx Changeset attached => MantisBT master-1.2.x a374a7c9
2010-08-04 09:28 dhx Resolution open => fixed
2010-08-04 09:28 dhx Fixed in Version => 1.2.3
2010-08-04 09:28 dhx Note Added: 0026211
2010-08-04 09:28 dhx Status assigned => resolved
2010-08-04 09:28 dhx Fixed in Version 1.2.3 =>
2010-08-04 09:29 dhx Fixed in Version => 1.2.3
2010-08-05 18:13 jreese Note Added: 0026236
2010-08-05 18:21 jreese Note Edited: 0026236 View Revisions
2010-08-05 18:22 jreese Additional Information Updated View Revisions
2010-08-05 18:37 dhx View Status private => public
2010-09-04 17:31 oberger Note Added: 0026578
2010-09-18 17:32 giallu Issue cloned: 0012369
2010-09-18 17:32 giallu Relationship added related to 0012369
2011-08-02 12:35 dregad Status resolved => closed

MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1186 seconds.
memory usage: 2,825 KB
Powered by Mantis Bugtracker