View Issue Details

IDProjectCategoryView StatusLast Update
0015511mantisbtsecuritypublic2014-09-23 18:05
Reporteratrol 
Assigned Toatrol 
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.14 
Target Version1.2.15Fixed in Version1.2.15 
Summary0015511: CVE-2013-1931: XSS vulnerability when deleting a version
Description

Script is executed when trying to remove a version having scripting code in the name of the version.

Steps To Reproduce
  1. Create a version <script>alert (XSS)</script>
  2. Try to delete the version
Additional Information

The XSS issue does not occur in version 1.3.x using Firefox (IE is affected)
CSP introduced in 0011825 prevents executing in Firefox, but the version name is not displayed.

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036092

Marking as acknowledged not resolved/closed to track that change gets ported to master-2.0.x branch

dregad

dregad

2013-04-08 05:43

developer   ~0036538

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878

Related Changesets

MantisBT: master-1.2.x 8b13da01

2013-02-15 20:15:53

atrol

Details Diff
Fix 0015511: XSS vulnerability when deleting a version
mod - manage_proj_ver_delete.php Diff File

MantisBT: master 44e140e9

2013-02-15 20:21:22

atrol

Details Diff
Fix 0015511: XSS vulnerability when deleting a version
mod - manage_proj_ver_delete.php Diff File

Issue History

Date Modified Username Field Change
2013-02-15 15:16 atrol New Issue
2013-02-15 15:16 atrol Status new => assigned
2013-02-15 15:16 atrol Assigned To => atrol
2013-02-15 15:22 atrol Changeset attached => MantisBT master-1.2.x 8b13da01
2013-02-15 15:22 atrol Status assigned => resolved
2013-02-15 15:22 atrol Resolution open => fixed
2013-02-15 15:22 atrol Fixed in Version => 1.2.15
2013-02-15 15:22 atrol Changeset attached => MantisBT master 44e140e9
2013-02-18 06:54 dregad View Status private => public
2013-04-05 17:56 grangeway Status resolved => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036092
2013-04-05 19:39 grangeway Relationship added related to 0015721
2013-04-06 03:37 dregad Status acknowledged => resolved
2013-04-06 03:37 dregad Fixed in Version 1.2.15 =>
2013-04-06 03:38 dregad Fixed in Version => 1.2.15
2013-04-06 07:21 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-04-08 05:43 dregad Note Added: 0036538
2013-04-08 05:43 dregad Summary XSS vulnerability when deleting a version => CVE-2013-1931: XSS vulnerability when deleting a version
2013-04-12 09:56 dregad Status resolved => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check