207260 – www-apps/mantisbt "Most Active" Script Insertion Vulnerability (CVE-2008-0404)

Bug 207260 - www-apps/mantisbt "Most Active" Script Insertion Vulnerability (CVE-2008-0404)

Summary: www-apps/mantisbt "Most Active" Script Insertion Vulnerability (CVE-2008-0404)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28577
Whiteboard:	~4 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2008-01-24 08:32 UTC by Lars Hartmann
Modified:	2008-01-24 11:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2008-01-24 08:32:58 UTC

A vulnerability has been reported in Mantis, which can be exploited by malicious users to conduct script insertion attacks.

Certain input is not properly sanitised before being used within the "Most Active" bugs on the "Summary" page. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when malicious data is viewed.

The vulnerability is reported in versions prior to 1.1.1.

Solution:
Update to version 1.1.1.

Comment 1 Lars Hartmann 2008-01-24 08:34:05 UTC

maintainers - please provide an updated ebuild

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2008-01-24 11:16:48 UTC

1.1.1 is already in the tree. Currently stable branch 1.0.8 is not affected. Nothing to do :)

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-24 11:57:17 UTC

Thx. Closing this one.