Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5265AA27.6060000@mantisbt.org>
Date: Tue, 22 Oct 2013 00:26:47 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: MantisBT before 1.2.16 XSS vulnerability

Greetings

Roland Becker (MantisBT developer) discovered and fixed [1] an XSS 
vulnerability issue affecting MantisBT releases 1.0.0 to 1.2.15 included.

Account_sponsor_page.php.php did not correctly sanitize project names, 
enabling a malicious user to execute malicious JavaScript when visiting 
that page.

The criticality of this issue is compounded by the fact that a 
high-privilege account (typically project manager or administrator) is 
required to edit project names.

Patches attached to [1]. Can you please assign a CVE ID to this issue ?

Thank you

D. Regad
MantisBT Developer
http://mantisbt.org/

[1] http://www.mantisbt.org/bugs/view.php?id=16513

BCC: mantisbt-dev@...ts.sourceforge.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.