Hi Alex,

Many thanks for the bug report. I'll investigate and let you know.
Did you reserve a CVE for this issue ?

Hi there,
No, I haven't reserved a CVE for this issue.
I'm wondering, is this something I should be doing? How is it done?
I also reported the captcha bypass issue, and I don't have a CVE for that one either.
I'm sorry I'm very new to all this and I don't have a CVE yet.

Thanks for your assistance.
Best regards,
Alex.

I'm only asking to avoid sending multiple requests for the same issue as it then becomes a source of confusion. So don't worry, I'll take care of it (in fact I prefer to do it myself so I'm sure that all relevant information is provided right from the start, it's easier than making changes afterwards).

If you're interested in learning more about this process, see http://cve.mitre.org including their FAQ.

OK, I can reproduce this in 1.2.x.

Severity of issue is mitigated by the fact that attacker would need to be logged in with a high-privileged account (administrator by default) to access this page.

On 1.3.x, browsers supporting content security policy are not affected by this.

Alex, I'm preparing the CVE request; please let me know how you would like to be credited for this finding.

http://permalink.gmane.org/gmane.comp.security.oss.general/14706

Hi there,
Although it's true that it's mitigated in browsers that support content security policy, be careful because these can be bypassed.
Plus the attacker would not need to be logged with a high-privileged account, since the vector of attack would be to make an administrator click on a link by social-engineering or other methods, that would be embedded with the malicious payload.

An attacker would just need to download a copy of the software, install it in order to generate a link with the payload embedded.

Regarding the CVE, I would like to be credited with my full name. (Alejo Popovici).

Thank you for everything, and I'll let you know if I find any other issues.
Let me tell you that you are by far the most responsive developer team that I've ever contacted. I have outstanding security bug reports for a month that haven't even been acknowledged yet.

Best regards,
Alex.

Thanks for the positive feedback Alex, it's always nice to hear.

I'm hoping to release 1.2.18 next week if all goes according to plan.

Patrice Morineau pointed out to me via e-mail, that in master branch commit 1a49a780 does not implement the change as documented in the commit message, in fact it reapplied b509ab38 - use string_display_line() - instead.

Issue is now properly (and hopefully definitively) fixed in b649c9c9.

It is worth mentioning that string_display_line() does effectively protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON.