View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012232 | mantisbt | security | public | 2010-08-04 10:05 | 2011-08-02 12:35 |
Reporter | dhx | Assigned To | dhx | ||
Priority | immediate | Severity | crash | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.2 | ||||
Target Version | 1.2.3 | Fixed in Version | 1.2.3 | ||
Summary | 0012232: Multiple XSS issues with custom field enumeration values | ||||
Description | MantisBT administrators (who can configure custom fields) can place malicious Javascript within the options they define for custom field enumeration/checkbox/radio/etc field types. These HTML-unsafe options are then printed to users throughout MantisBT (report, update, view, etc) without sanitisation. This is low risk due to the need to be a MantisBT administrator to configure custom field values. Rather than being a pure security risk, this is more a case of allowing more characters to be used safely within custom field options. | ||||
Tags | No tags attached. | ||||
MantisBT: master 7ab71d01 2010-08-04 10:05 Details Diff |
Fix 0012232: Multiple XSS issues with custom field enumeration values MantisBT administrators (who can configure custom fields) can place malicious Javascript within the options they define for custom field enumeration/checkbox/radio/etc field types. These HTML-unsafe options are then printed to users throughout MantisBT (report, update, view, etc) without sanitisation. This is low risk due to the need to be a MantisBT administrator to configure custom field values. Rather than being a pure security risk, this is more a case of allowing all characters to be used safely within custom field options. |
Affected Issues 0012232 |
|
mod - core/cfdefs/cfdef_standard.php | Diff File | ||
MantisBT: master-1.2.x 243ff6f6 2010-08-04 10:05 Details Diff |
Fix 0012232: Multiple XSS issues with custom field enumeration values MantisBT administrators (who can configure custom fields) can place malicious Javascript within the options they define for custom field enumeration/checkbox/radio/etc field types. These HTML-unsafe options are then printed to users throughout MantisBT (report, update, view, etc) without sanitisation. This is low risk due to the need to be a MantisBT administrator to configure custom field values. Rather than being a pure security risk, this is more a case of allowing all characters to be used safely within custom field options. |
Affected Issues 0012232 |
|
mod - core/cfdefs/cfdef_standard.php | Diff File |