View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0029688 | mantisbt | security | public | 2022-02-25 17:22 | 2022-04-13 12:10 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.25.0 | ||||
Target Version | 2.25.3 | Fixed in Version | 2.25.3 | ||
Summary | 0029688: CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php | ||||
Description | Improper escaping of Plugin name allows execution of arbitrary code (if CSP allows it) when a crafted plugin is installed. | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
CVE-2022-26144 assigned |
|
We are executing arbitrary plugin code that can't be controlled by us, as there is no sandbox concept for plugins. @dregad not sure I am missing something. |
|
Yes of course, there is always such a risk when executing foreign code in your environment. Actually this XSS is a regression that I introduced with MantisBT master 11a6d0de (see 0026142) so I thought it should at least be corrected (the vulnerability it was originally fixed in 0012231).
That's exactly what this is.
Not really sure what you mean by that though... |
|
Attackers (bad guys) don't rely on the non-sanitized plugin name to inject code. |
|
MantisBT: master-2.25 a7751c3e 2022-02-25 17:01 Details Diff |
Fix XSS when displaying plugin name Improper escaping of the plugin name allows attacker to inject code in manage_plugin_page.php and manage_plugin_uninstall.php. Fixes 0029688 |
Affected Issues 0029688 |
|
mod - manage_plugin_page.php | Diff File | ||
mod - manage_plugin_uninstall.php | Diff File |