MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016513mantisbtsecuritypublic2013-10-19 14:352014-02-07 18:24
Reporteratrol 
Assigned Toatrol 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.15 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016513: CVE-2013-4460: XSS in account_sponsor_page.php project names
Descriptionaccount_sponsor_page.php.php does not correctly sanitise project names.
It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0038323)
dregad (developer)
2013-10-21 17:57

Security issues should be backported to 1.2
User avatar (0038408)
dregad (developer)
2013-10-31 19:51

CVE assigned http://thread.gmane.org/gmane.comp.security.oss.general/11351/focus=11367 [^]

- Related Changesets
MantisBT: master 0002d106
Timestamp: 2013-10-19 14:36:16
Author: atrol
Details ] Diff ]
Fix 0016513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project
names. It is thus possible for a malicious user with project
manager access permissions (or higher) to let users execute
malicious JavaScript when visiting account_sponsor_page.php.
mod - account_sponsor_page.php Diff ] File ]
MantisBT: master-1.2.x ad929d48
Timestamp: 2013-10-19 14:36:16
Author: atrol
Committer: dregad
Details ] Diff ]
Fix 0016513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project
names. It is thus possible for a malicious user with project
manager access permissions (or higher) to let users execute
malicious JavaScript when visiting account_sponsor_page.php.
mod - account_sponsor_page.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-10-19 14:35 atrol New Issue
2013-10-19 14:35 atrol Status new => assigned
2013-10-19 14:35 atrol Assigned To => atrol
2013-10-19 14:37 atrol Changeset attached => MantisBT master 0002d106
2013-10-19 14:37 atrol Status assigned => resolved
2013-10-19 14:37 atrol Resolution open => fixed
2013-10-19 14:37 atrol Fixed in Version => 1.3.0dev
2013-10-19 14:37 atrol Fixed in Version 1.3.0dev => 1.3.x
2013-10-21 17:57 dregad Note Added: 0038323
2013-10-21 18:02 dregad Changeset attached => MantisBT master-1.2.x ad929d48
2013-10-21 18:21 atrol Fixed in Version 1.3.x => 1.2.16
2013-10-21 18:21 atrol Target Version 1.3.x => 1.2.16
2013-10-31 19:51 dregad Note Added: 0038408
2013-10-31 19:51 dregad Summary XSS in account_sponsor_page.php project names => CVE-2013-4460: XSS in account_sponsor_page.php project names
2014-02-07 18:24 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0884 seconds.
memory usage: 2,972 KB
Powered by Mantis Bugtracker