Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 233336 (CVE-2008-3331) - www-apps/mantisbt <1.1.2 Multiple vulnerabilities (CVE-2008-{3331,3332,3333})
Summary: www-apps/mantisbt <1.1.2 Multiple vulnerabilities (CVE-2008-{3331,3332,3333})
Status: RESOLVED FIXED
Alias: CVE-2008-3331
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.mantisbt.org/bugs/changelo...
Whiteboard: C1/B3 [glsa]
Keywords:
Depends on:
Blocks: 222649
  Show dependency tree
 
Reported: 2008-07-30 00:41 UTC by Robert Buchholz (RETIRED)
Modified: 2008-11-26 19:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 00:41:02 UTC 
CVE-2008-3331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3331):
  Cross-site scripting (XSS) vulnerability in return_dynamic_filters.php in
  Mantis before 1.1.2 allows remote attackers to inject arbitrary web script or
  HTML via the filter_target parameter.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 00:44:41 UTC 
CVE-2008-3332 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3332):
  Eval injection vulnerability in adm_config_set.php in Mantis before 1.1.2
  allows remote authenticated administrators to execute arbitrary code via the
  value parameter.

CVE-2008-3333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3333):
  Directory traversal vulnerability in core/lang_api.php in Mantis before 1.1.2
  allows remote attackers to read and include arbitrary files via the language
  parameter to the user preferences page (account_prefs_update.php).
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-07 17:38:00 UTC 
1.1.2 seems to be in the tree so I'm removing webapps from cc. Please readd if webapps should still take an interest in the bug.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-07 17:44:23 UTC 
Arches, please test and mark stable www-apps/mantisbt-1.1.2.
Target Keywords: "amd64 ppc x86"
Comment 4 Markus Meier gentoo-dev 2008-09-07 19:03:47 UTC 
amd64/x86 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:48:45 UTC 
ppc stable
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:55:52 UTC 
glsa request filed.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-21 17:28:15 UTC 
GLSA 200809-10