Date: Tue, 1 Aug 2017 15:22:33 +0200 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Advisory: XSS issues in MantisBT (CVE-2017-12061, CVE-2017-12062) Please take note of the following 2 cross-site scripting issues in MantisBT Best regards Damien Regad MantisBT developer 1. CVE-2017-12061: XSS in /admin/install.php script A cross-site scripting (XSS) vulnerability in the MantisBT Installation script allows remote attackers to inject arbitrary code through crafted parameters. This is only possible if the admin/ folder was not deleted after installation, as recommended in the MantisBT Admin Guide . Affected versions: 1.3.11 and older, 2.5.1 and older Fixed in versions: 1.3.12, 2.5.2, 2.6.0 (not yet released*) Patch: - 1.3: https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 - 2.x: https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 Credits: - Reported by aLLy from ONSEC (https://twitter.com/IamSecurity) - Fixed by Damien Regad (MantisBT Developer) References: - MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23146  http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon 2. CVE-2017-12062: XSS in manage_user_page.php A cross-site scripting (XSS) vulnerability in the MantisBT Manage User page allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'filter' parameter. Affected versions: 2.1.0 through 2.5.1 Fixed in versions: 2.5.2, 2.6.0 (not yet released*) Patch: https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7 Credits: - Reported by Trí Chim Trích (https://twitter.com/trichimtrich) - Fixed by Roland Becker (MantisBT Developer) References: - MantisBT issue tracker http://www.mantisbt.org/bugs/view.php?id=23166 * Releases 1.3.9, 2.1.3, 2.2.3 and 2.3.0 are scheduled for release on coming week-end
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ