0015511: CVE-2013-1931: XSS vulnerability when deleting a version

ID	Project	Category	View Status	Date Submitted	Last Update
0015511	mantisbt	security	public	2013-02-15 15:16	2014-09-23 18:05

Reporter	atrol	Assigned To	atrol
Priority	high	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.14
Target Version	1.2.15	Fixed in Version	1.2.15

Summary	0015511: CVE-2013-1931: XSS vulnerability when deleting a version
Description	Script is executed when trying to remove a version having scripting code in the name of the version.
Steps To Reproduce	Create a version <script>alert ("XSS")</script> Try to delete the version
Additional Information	The XSS issue does not occur in version 1.3.x using Firefox (IE is affected) CSP introduced in 0011825 prevents executing in Firefox, but the version name is not displayed.
Tags	No tags attached.

MantisBT: master-1.2.x 8b13da01 2013-02-15 15:15 atrol Details Diff	Fix 0015511: XSS vulnerability when deleting a version	Affected Issues 0015511
	mod - manage_proj_ver_delete.php	Diff File
MantisBT: master 44e140e9 2013-02-15 15:21 atrol Details Diff	Fix 0015511: XSS vulnerability when deleting a version	Affected Issues 0015511
	mod - manage_proj_ver_delete.php	Diff File

grangeway 2013-04-05 17:56 reporter ~0036092	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

dregad 2013-04-08 05:43 developer ~0036538	CVE assigned on 06-Apr-2013 [1] [1] http://article.gmane.org/gmane.comp.security.oss.general/9878