View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006544 | mantisbt | security | public | 2005-12-31 21:53 | 2006-10-09 11:55 |
Reporter | thraxisp | Assigned To | thraxisp | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 0.19.3 | ||||
Fixed in Version | 0.19.5 | ||||
Summary | 0006544: XSS Vulnerability in project name (TKADV2005-11-002) | ||||
Description | It is possible to embed an XSS script into the project name at creation. This then shows up in several other pages. From Thomas Waldegger [thomas.waldegger at morph3us dot org] You should not allow users to add projects, filters, users and so on Note: These configurations affect only the ">'' project. Try to add a project with the name '">script>alert(document.cookie) /manage_config_work_threshold_page.php These files do not filter the project name and so everytime a certain | ||||
Tags | No tags attached. | ||||