Date: Thu, 16 Dec 2010 08:58:34 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE request: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability Please use CVE-2010-4348 for the XSS. CVE-2010-4349 for the path disclosure. Thanks. -- JB ----- "David Hicks" <hickseydr@...usnet.com.au> wrote: > This is a CVE request for a vulnerability discovered in MantisBT > <1.2.4 > by Gjoko Krstic of Zero Science Lab as per the following advisory: > > http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php > > MantisBT 1.2.4 has been released to resolve this issue. > > For distributions or users using MantisBT 1.1.x, the following patch > can > be applied: > http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590 > > Please note that MantisBT 1.1.x is not recommended for use due to > many > security improvements and features implemented in MantisBT 1.2.x (but > not backported to 1.1.x). > > Detailed information about this vulnerability can be found in this > bug > report: http://www.mantisbt.org/bugs/view.php?id=12607 > > Regards, > > David Hicks > MantisBT Developer > mantisbt.org, #mantishelp freenode
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.