MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015511mantisbtsecuritypublic2013-02-15 15:162014-09-23 18:05
Reporteratrol 
Assigned Toatrol 
PriorityhighSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.14 
Target Version1.2.15Fixed in Version1.2.15 
Summary0015511: CVE-2013-1931: XSS vulnerability when deleting a version
DescriptionScript is executed when trying to remove a version having scripting code in the name of the version.
Steps To Reproduce1. Create a version <script>alert ("XSS")</script>
2. Try to delete the version
Additional InformationThe XSS issue does not occur in version 1.3.x using Firefox (IE is affected)
CSP introduced in 0011825 prevents executing in Firefox, but the version name is not displayed.
TagsNo tags attached.
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0036092)
grangeway (reporter)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
User avatar (0036538)
dregad (developer)
2013-04-08 05:43

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878 [^]

- Related Changesets
MantisBT: master-1.2.x 8b13da01
Timestamp: 2013-02-15 20:15:53
Author: atrol
Details ] Diff ]
Fix 0015511: XSS vulnerability when deleting a version
mod - manage_proj_ver_delete.php Diff ] File ]
MantisBT: master 44e140e9
Timestamp: 2013-02-15 20:21:22
Author: atrol
Details ] Diff ]
Fix 0015511: XSS vulnerability when deleting a version
mod - manage_proj_ver_delete.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-02-15 15:16 atrol New Issue
2013-02-15 15:16 atrol Status new => assigned
2013-02-15 15:16 atrol Assigned To => atrol
2013-02-15 15:22 atrol Changeset attached => MantisBT master-1.2.x 8b13da01
2013-02-15 15:22 atrol Status assigned => resolved
2013-02-15 15:22 atrol Resolution open => fixed
2013-02-15 15:22 atrol Fixed in Version => 1.2.15
2013-02-15 15:22 atrol Changeset attached => MantisBT master 44e140e9
2013-02-18 06:54 dregad View Status private => public
2013-04-05 17:56 grangeway Status resolved => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036092
2013-04-05 19:39 grangeway Relationship added related to 0015721
2013-04-06 03:37 dregad Status acknowledged => resolved
2013-04-06 03:37 dregad Fixed in Version 1.2.15 =>
2013-04-06 03:38 dregad Fixed in Version => 1.2.15
2013-04-06 07:21 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-04-08 05:43 dregad Note Added: 0036538
2013-04-08 05:43 dregad Summary XSS vulnerability when deleting a version => CVE-2013-1931: XSS vulnerability when deleting a version
2013-04-12 09:56 dregad Status resolved => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.2329 seconds.
memory usage: 3,065 KB
Powered by Mantis Bugtracker