MantisBT: master 26f209a2

Author Committer Branch Timestamp Parent
dregad dregad master 2014-11-28 14:51 master 66c142dc
Affected Issues  0017874: CVE-2014-9271: Persistent XSS in file uploads/attachments

Fix 0017874: XSS in file uploads

An attacker can upload a Flash file with an image extension. If such an
attachment is displayed inline, it becomes a vector for XSS attacks.

This issue was reported by Matthias Karlsson (
as part of Offensive Security's bug bounty program [1].

Patch with contribution from Victor Boctor.

mod - file_download.php Diff File