View Issue Details

IDProjectCategoryView StatusLast Update
0015511mantisbtsecuritypublic2014-09-23 18:05
Reporteratrol Assigned Toatrol  
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.14 
Target Version1.2.15Fixed in Version1.2.15 
Summary0015511: CVE-2013-1931: XSS vulnerability when deleting a version
Description

Script is executed when trying to remove a version having scripting code in the name of the version.

Steps To Reproduce
  1. Create a version <script>alert ("XSS")</script>
  2. Try to delete the version
Additional Information

The XSS issue does not occur in version 1.3.x using Firefox (IE is affected)
CSP introduced in 0011825 prevents executing in Firefox, but the version name is not displayed.

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036092

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

dregad

dregad

2013-04-08 05:43

developer   ~0036538

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878

Related Changesets

MantisBT: master-1.2.x 8b13da01

2013-02-15 15:15

atrol


Details Diff
Fix 0015511: XSS vulnerability when deleting a version Affected Issues
0015511
mod - manage_proj_ver_delete.php Diff File

MantisBT: master 44e140e9

2013-02-15 15:21

atrol


Details Diff
Fix 0015511: XSS vulnerability when deleting a version Affected Issues
0015511
mod - manage_proj_ver_delete.php Diff File