Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489050 (CVE-2013-4460) - <www-apps/mantisbt-1.2.15-r1: XSS vulnerability (CVE-2013-4460)
Summary: <www-apps/mantisbt-1.2.15-r1: XSS vulnerability (CVE-2013-4460)
Status: RESOLVED FIXED
Alias: CVE-2013-4460
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/152
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-22 17:56 UTC by Mikle Kolyada (RETIRED)
Modified: 2014-01-11 22:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-22 17:56:12 UTC 
from ${URL}:

Greetings

Roland Becker (MantisBT developer) discovered and fixed [1] an XSS vulnerability issue affecting MantisBT releases 1.0.0 to 1.2.15 included.


Account_sponsor_page.php.php did not correctly sanitize project names, enabling a malicious user to execute malicious JavaScript when visiting that page.


The criticality of this issue is compounded by the fact that a high-privilege account (typically project manager or administrator) is required to edit project names.


Patches attached to [1]. Can you please assign a CVE ID to this issue ?

Thank you

D. Regad
MantisBT Developer
http://mantisbt.org/

[1] http://www.mantisbt.org/bugs/view.php?id=16513

BCC: mantisbt-dev () lists sourceforge net
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-10-23 04:55:59 UTC 
Fix available @ upstream
http://www.mantisbt.org/bugs/view.php?id=16513
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 01:31:55 UTC 
Maintainer timeout, bumped. Arches, please stabilize:
=www-apps/mantisbt-1.2.15-r1
Target arches: amd64 x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-06 20:40:05 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-12-06 20:42:06 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-26 19:32:20 UTC 
cleanup done.
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-26 19:35:04 UTC 
GLSA vote: no.
Comment 7 Sergey Popov gentoo-dev 2013-12-27 10:06:35 UTC 
GLSA vote: no

Closing as noglsa.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-01-11 22:39:42 UTC 
CVE-2013-4460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4460):
  Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in
  MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject
  arbitrary web script or HTML via a project name.