View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026078 | mantisbt | security | public | 2019-08-25 06:16 | 2020-12-30 08:26 |
Reporter | atrol | Assigned To | atrol | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.21.3 | Fixed in Version | 2.21.3 | ||
Summary | 0026078: CVE-2019-15539: Stored XSS on Project Documentation | ||||
Description | Vulnerability in deprecated project documentation functionality ($g_enable_project_documentation). This allows execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
Attached Files | proj_doc_xss.patch (1,122 bytes)
From 14e58c1cadaf2ebed476f55626408443d408436d Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Sun, 25 Aug 2019 11:52:41 +0200 Subject: [PATCH] Fix XSS on project documentation Vulnerability in deprecated project documentation functionality ($g_enable_project_documentation), allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. Prevent the attack by sanitizing the filename before display. Fixes #26078 --- proj_doc_edit_page.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proj_doc_edit_page.php b/proj_doc_edit_page.php index 5367ad8bd..f9008d180 100644 --- a/proj_doc_edit_page.php +++ b/proj_doc_edit_page.php @@ -125,7 +125,7 @@ print_doc_menu(); $t_href = '<a href="file_download.php?file_id='.$v_id.'&type=doc">'; echo $t_href; print_file_icon( $v_filename ); - echo '</a> ' . $t_href . file_get_display_name( $v_filename ) . '</a>'; + echo '</a> ' . $t_href . string_html_specialchars( file_get_display_name( $v_filename ) ) . '</a>'; ?> </td> </tr> -- 2.23.0 | ||||
CVE request 746787 sent. Even though this is a deprecated feature and the vulnerability is not widely accessible (need ability to manage project documentation) I'll aply the patch on all branches. |
|
CVE-2019-15539 assigned |
|
MantisBT: master-2.21 bd094ded 2019-08-25 01:52 Committer: dregad Details Diff |
Fix XSS on project documentation Vulnerability in deprecated project documentation functionality ($g_enable_project_documentation), allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. Prevent the attack by sanitizing the filename before display. Fixes 0026078 |
Affected Issues 0026078 |
|
mod - proj_doc_edit_page.php | Diff File | ||
MantisBT: master-1.3.x 796a327f 2019-08-25 01:52 Committer: dregad Details Diff |
Fix XSS on project documentation Vulnerability in deprecated project documentation functionality ($g_enable_project_documentation), allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. Prevent the attack by sanitizing the filename before display. Fixes 0026079 (clone of issue 0026078) (cherry picked from commit bd094dede74ff6e313e286e949e2387233a96eea) |
Affected Issues 0026078, 0026079 |
|
mod - proj_doc_edit_page.php | Diff File |