Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 207260

Summary: www-apps/mantisbt "Most Active" Script Insertion Vulnerability (CVE-2008-0404)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/28577
Whiteboard: ~4 [ebuild]
Package list:
Runtime testing required: ---

Description Lars Hartmann 2008-01-24 08:32:58 UTC 
A vulnerability has been reported in Mantis, which can be exploited by malicious users to conduct script insertion attacks.

Certain input is not properly sanitised before being used within the "Most Active" bugs on the "Summary" page. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when malicious data is viewed.

The vulnerability is reported in versions prior to 1.1.1.

Solution:
Update to version 1.1.1.
Comment 1 Lars Hartmann 2008-01-24 08:34:05 UTC 
maintainers - please provide an updated ebuild
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2008-01-24 11:16:48 UTC 
1.1.1 is already in the tree. Currently stable branch 1.0.8 is not affected. Nothing to do :)
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-24 11:57:17 UTC 
Thx. Closing this one.