From $url: The following vulnerabilities were found in Mantis (Version 1.2.2). 1. XSS in "/mantisbt_1_2_2/api/soap/mantisconnect.php" URI was set to 1<ScRiPt>prompt(923395)</ScRiPt> The input is reflected inside a text element. The input is reflected inside a tag element between double quotes. Sample HTTP request to reproduce the problem: GET /mantisbt_1_2_2/api/soap/mantisconnect.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E HTTP/1.1 Cookie: PHPSESSID=4a181a89451adb7b5d459ea3252b1f4a; MANTIS_secure_session=0; MANTIS_PROJECT_COOKIE=0 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Found another XSS in www-apps/mantisbt-1.2.2: CVE-2010-2574 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2574) Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action. This is not the same issue as described in $url.
CVE-2010-2574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2574): Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action.
The main concern with MantisBT 1.2.2 is the NuSOAP/mantisconnect vulnerability. This is actually an upstream issue with the NuSOAP project that has yet to be patched. Reference: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 MantisBT bundles NuSOAP and as Gentoo doesn't have a dedicated nusoap package, Gentoo's MantisBT ebuild relies upon the bundled version. Saying that, upstream hasn't released a new build either (although Debian and RedHat have already patched their own packages). The MantisBT project plans to release a 1.2.3 build shortly to address the bundled NuSOAP XSS issue. The other XSS issues in MantisBT 1.2.2 are not as significant because they require elevated access.
Also, if you can't wait for a 1.2.3 release, patches for all these MantisBT 1.2.2 XSS issues have been available for weeks in the repository at http://git.mantisbt.org/?p=mantisbt.git;a=sahortlog;h=refs/heads/master-1.2.x They should apply cleanly on top of the 1.2.2 release.
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy in the bundled version of NuSOAP (and another few minor XSS issues). http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net http://sourceforge.net/projects/mantisbt/files/
Thank you guys. New version is in the tree. Arch teams, please, stabilize.
stable x86
amd64 done
CVEs CVE-2010-3070 and CVE-2010-3303 have also been assigned to these vulnerabilities.
ppc done
GLSA Vote: No, some of the issues require an authenticated attacker with administrator privileges, the other is an unauthenticated reflected XSS.
XSS in Webapp -> closing noglsa.