Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Mar 2015 11:09:55 +0100
From: Damien Regad <>
Subject: CVE Request: XSS issue in MantisBT permalink_page.php


Please assign a CVE ID for the following issue


MantisBT's permalink_page.php builds a permanent link to a configured 
filter. Using a crafted URL, an attacker can make this link execute 
arbitrary javascript code in the user's browser.

Affected versions:
- >= 1.1.0a4
- 1.3.0-beta.1

Fixed in versions:
- 1.2.19 (released 2015-01-25)
- 1.3.0-beta.2 (not yet released)

See Github [1]

This vulnerability was originally discovered by Paul Richards in May 
2014, with the first public report in [2] and also mentioned in [3], 
although a CVE was never requested for it.
It was recently reported a second time by Robert Foggia in [4], leading 
to the present CVE request.
The issue was fixed by Damien Regad (MantisBT Developer), as a 
side-effect of addressing CVE-2015-1042, see [5].

Further details will be available in our issue tracker [2] once this 
goes public.

[1] (1.2.x) (1.3.x)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ