View Issue Details

IDProjectCategoryView StatusLast Update
0016513mantisbtsecuritypublic2014-12-22 08:23
ReporteratrolAssigned Toatrol 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016513: CVE-2013-4460: XSS in account_sponsor_page.php project names
Description

account_sponsor_page.php.php does not correctly sanitise project names.
It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.

TagsNo tags attached.

Relationships

Activities

dregad

dregad

2013-10-21 17:57

developer   ~0038323

Security issues should be backported to 1.2

dregad

dregad

2013-10-31 19:51

developer   ~0038408

CVE assigned http://thread.gmane.org/gmane.comp.security.oss.general/11351/focus=11367

Related Changesets

MantisBT: master 0002d106

2013-10-19 14:36:16

atrol

Details Diff
Fix 0016513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project
names. It is thus possible for a malicious user with project
manager access permissions (or higher) to let users execute
malicious JavaScript when visiting account_sponsor_page.php.
mod - account_sponsor_page.php Diff File

MantisBT: master-1.2.x ad929d48

2013-10-19 14:36:16

atrol


Committer: dregad Details Diff
Fix 0016513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project
names. It is thus possible for a malicious user with project
manager access permissions (or higher) to let users execute
malicious JavaScript when visiting account_sponsor_page.php.
mod - account_sponsor_page.php Diff File

Issue History

Date Modified Username Field Change
2013-10-19 14:35 atrol New Issue
2013-10-19 14:35 atrol Status new => assigned
2013-10-19 14:35 atrol Assigned To => atrol
2013-10-19 14:37 atrol Changeset attached => MantisBT master 0002d106
2013-10-19 14:37 atrol Status assigned => resolved
2013-10-19 14:37 atrol Resolution open => fixed
2013-10-19 14:37 atrol Fixed in Version => 1.3.0dev
2013-10-19 14:37 atrol Fixed in Version 1.3.0dev => 1.3.0-beta.1
2013-10-21 17:57 dregad Note Added: 0038323
2013-10-21 18:02 dregad Changeset attached => MantisBT master-1.2.x ad929d48
2013-10-21 18:21 atrol Fixed in Version 1.3.0-beta.1 => 1.2.16
2013-10-21 18:21 atrol Target Version 1.3.0-beta.1 => 1.2.16
2013-10-31 19:51 dregad Note Added: 0038408
2013-10-31 19:51 dregad Summary XSS in account_sponsor_page.php project names => CVE-2013-4460: XSS in account_sponsor_page.php project names
2014-02-07 18:24 dregad Status resolved => closed