View Issue Details

IDProjectCategoryView StatusLast Update
0024672mantisbtsecuritypublic2018-08-17 08:13
ReporterKyle_KatarnAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version2.16.0 
Target VersionFixed in Version 
Summary0024672: Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042)
Description

Mantis is depending on Boostrap 3.3.6 which has some vulnerabilities (3 medium according to Netsparker).
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14042

Consider update to a more recent version.

TagsNo tags attached.

Activities

dregad

dregad

2018-08-16 11:22

developer   ~0060442

Last edited: 2018-08-16 11:32

View 2 revisions

Thanks for the heads up, we'll look into it.

EDIT: After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking... don't hold your breath ;-)

atrol

atrol

2018-08-16 11:44

developer   ~0060443

After a quick look at changes from 3 to 4, and considering our use of the ACE admin template, this is no small undertaking

Using 3.4.0 might be an option
https://github.com/twbs/bootstrap/commits/v3.4.0-dev
From what I see, they seem to fix security issues in this branch
https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d

dregad

dregad

2018-08-17 05:14

developer   ~0060446

Using 3.4.0 might be an option

Assuming they ever release it...
https://github.com/twbs/bootstrap/issues/25679

Kyle_Katarn

Kyle_Katarn

2018-08-17 06:22

reporter   ~0060447

Would you please edit my issue's title in order to change it to "Fix CVE-2018-14040, CVE-2018-14041, CVE-2018-14042" ? (which is more relevant)

Issue History

Date Modified Username Field Change
2018-08-16 08:53 Kyle_Katarn New Issue
2018-08-16 11:22 dregad Status new => acknowledged
2018-08-16 11:22 dregad Category bugtracker => security
2018-08-16 11:22 dregad Note Added: 0060442
2018-08-16 11:32 dregad Note Edited: 0060442 View Revisions
2018-08-16 11:44 atrol Note Added: 0060443
2018-08-17 05:14 dregad Note Added: 0060446
2018-08-17 06:22 Kyle_Katarn Note Added: 0060447
2018-08-17 08:13 dregad Summary Update to Boostrap 4.1.3 => Fix Bootstrap security issues (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042)