Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 09 Feb 2015 22:37:02 +0100
From: Damien Regad <>
Subject: CVE request: XSS in MantisBT


Please assign a CVE ID for the following issue


The MantisBT Configuration Report (adm_config_report.php) did not 
properly sanitize the form variables used when saving a filter, allowing 
an attacker to embed JavaScript code which would be executed in the 
client's browser when displaying the page.

Affected versions:
- >= 1.2.13
- 1.3.0-beta.1

Fixed in versions:
- 1.2.20 (not yet released)
- 1.3.0-beta.2 (not yet released)

See Github [1]

This vulnerability was discovered by Fortinet's FortiGuard Labs 
(reference FG-VD-15-008 [2])
The issue was fixed by Damien Regad (MantisBT Developer).

Further details will be available in our issue tracker [2] once this 
goes public.

[1] (1.2.x) (1.3.x)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ