MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012232mantisbtsecuritypublic2010-08-04 10:052011-08-02 12:35
Reporterdhx 
Assigned Todhx 
PriorityimmediateSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012232: Multiple XSS issues with custom field enumeration values
DescriptionMantisBT administrators (who can configure custom fields) can place malicious Javascript within the options they define for custom field enumeration/checkbox/radio/etc field types. These HTML-unsafe options are then printed to users throughout MantisBT (report, update, view, etc) without sanitisation.

This is low risk due to the need to be a MantisBT administrator to configure custom field values. Rather than being a pure security risk, this is more a case of allowing more characters to be used safely within custom field options.
TagsNo tags attached.
Attached Files

- Relationships
related to 0012370closedgiallu Multiple XSS issues with custom field enumeration values 

-  Notes
There are no notes attached to this issue.

- Related Changesets
MantisBT: master 7ab71d01
Timestamp: 2010-08-04 14:05:39
Author: dhx
Details ] Diff ]
Fix 0012232: Multiple XSS issues with custom field enumeration values

MantisBT administrators (who can configure custom fields) can place
malicious Javascript within the options they define for custom field
enumeration/checkbox/radio/etc field types. These HTML-unsafe options
are then printed to users throughout MantisBT (report, update, view,
etc) without sanitisation.

This is low risk due to the need to be a MantisBT administrator to
configure custom field values. Rather than being a pure security risk,
this is more a case of allowing all characters to be used safely within
custom field options.
mod - core/cfdefs/cfdef_standard.php Diff ] File ]
MantisBT: master-1.2.x 243ff6f6
Timestamp: 2010-08-04 14:05:39
Author: dhx
Details ] Diff ]
Fix 0012232: Multiple XSS issues with custom field enumeration values

MantisBT administrators (who can configure custom fields) can place
malicious Javascript within the options they define for custom field
enumeration/checkbox/radio/etc field types. These HTML-unsafe options
are then printed to users throughout MantisBT (report, update, view,
etc) without sanitisation.

This is low risk due to the need to be a MantisBT administrator to
configure custom field values. Rather than being a pure security risk,
this is more a case of allowing all characters to be used safely within
custom field options.
mod - core/cfdefs/cfdef_standard.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-08-04 10:05 dhx New Issue
2010-08-04 10:05 dhx Status new => assigned
2010-08-04 10:05 dhx Assigned To => dhx
2010-08-04 10:07 dhx Changeset attached => MantisBT master 7ab71d01
2010-08-04 10:07 dhx Changeset attached => MantisBT master-1.2.x 243ff6f6
2010-08-04 10:07 dhx Resolution open => fixed
2010-08-04 10:07 dhx Fixed in Version => 1.2.3
2010-08-04 10:07 dhx Status assigned => resolved
2010-08-05 18:37 dhx View Status private => public
2010-09-18 19:12 giallu Issue cloned: 0012370
2010-09-18 19:12 giallu Relationship added related to 0012370
2011-08-02 12:35 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0707 seconds.
memory usage: 3,023 KB
Powered by Mantis Bugtracker