CVE-2011-3578 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3578): Cross-site scripting (XSS) vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the action parameter, related to bug_actiongroup_page.php, a different vulnerability than CVE-2011-3357. Please punt vulnerable versions.
CVE-2011-3358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3358): Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) os, (2) os_build, or (3) platform parameter to (a) bug_report_page.php or (b) bug_update_advanced_page.php, related to use of the Projax library.
CVE-2011-3356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3356): Multiple cross-site scripting (XSS) vulnerabilities in config_defaults_inc.php in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO, as demonstrated by the PATH_INFO to (1) manage_config_email_page.php, (2) manage_config_workflow_page.php, or (3) bugs/plugin.php.
CVE-2011-3755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3755): MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files. CVE-2011-3357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3357): Directory traversal vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter, related to bug_actiongroup_page.php. CVE-2011-2938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2938): Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php in MantisBT before 1.2.7 allow remote attackers to inject arbitrary web script or HTML via a parameter, as demonstrated by the project_id parameter to search.php.
Vulnerable version was dropped.
Vote: yes.
YES too, request filed.
which is the fixed version here?
This issue was resolved and addressed in GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml by GLSA coordinator Tobias Heinlein (keytoaster).