Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Apr 2013 23:30:19 +0200 (CEST)
From: Damien Regad <damien.regad@...ckgroup.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Multiple CVE requests for MantisBT

Kurt Seifried <kseifried@...hat.com>
 Wrote in message:

>>>>> 4. XSS issue on Configuration Report page when displaying 
>>>>> complex value
>>>>> 
>>>>> This issue affects Mantis 1.2.0rc1 and later.
>>>>> 
>>>>> Lack of proper string escaping allows users (having admin 
>>>>> access) to enter arbitrary javascript code and have it
>>>>> executed on the user's browser.
>>>>> 
>>>>> Reference: http://www.mantisbt.org/bugs/view.php?id=15416
>>>> 
>>>> Does this count as a proper release or does it fall into the 
>>>> "beta" classification?
>> 
>>> 1.2.0rc1 was a beta release. The first "proper" release affected
>>> by this was 1.2.0
>> 
>> Ok not assigning a CVE then, unless there are a large number of
>> users betas don't get CVEs.
> 
> Steve just pointed out I may have misread this. Is 1.2.0 vulnerable,
> and this is fixed in 1.2.1, or was it fixed in the 1.2.0 release (so
> ONLY 1.2.0-rc1 was affected)?

Not sure who Steve is, but he is absolutely correct - this affects
 all versions of Mantis *starting* with rc1 and until 1.2.13
 included, so definitely non-beta releases are vulnerable.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.