MantisBT: master-1.2.x 9fb8cf36

Author Committer Branch Timestamp Parent
dregad dregad master-1.2.x 2014-11-28 14:51 master-1.2.x 05378e00
Affected Issues  0017874: CVE-2014-9271: Persistent XSS in file uploads/attachments

Fix 0017874: XSS in file uploads

An attacker can upload a Flash file with an image extension. If such an
attachment is displayed inline, it becomes a vector for XSS attacks.

This issue was reported by Matthias Karlsson (
as part of Offensive Security's bug bounty program [1].

Patch with contribution from Victor Boctor.

mod - file_download.php Diff File