Bug 902315 (CVE-2013-0197)
| Summary: | CVE-2013-0197 mantis: Persistent XSS due improper sanitization of the match_type variable | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | extras-orphan, giallu, sven |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-19 21:58:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 902331 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2013-01-21 11:18:31 UTC
This issue affects the versions of the mantis package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update. -- This issue did NOT affect the version of the mantis package, as shipped with Fedora EPEL 5. Created mantis tracking bugs for this issue Affects: fedora-all [bug 902331] Updated post from Damien Regad regarding this issue on OSS list (didn't reach the list yet. Please have a look at further details below): Kurt Seifried <kseifried@...> writes: > Please use CVE-2013-0197 for this issue. Hi Kurt, Thanks for creating the CVE; please take note of a small rectification on the original issue report: David Hicks <d <at> hx.id.au> writes: > Jakub Galczyk discovered[1][2] a cross site scripting (XSS) > vulnerability in *MantisBT 1.2.12 and earlier versions* This affects *only MantisBT version 1.2.12* (and the 'master' development branch after 15-Sep-2012), as earlier versions did not contain the commit introducing the 'match type' filtering feature [1]. It's also worth mentioning that a better patch for the vulnerability is available under follow-up issue #15388 [2] Damien Regad MantisBT developer [1] 1.2.x branch: https://github.com/mantisbt/mantisbt/commit/5b491868 master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72 [2] http://www.mantisbt.org/bugs/view.php?id=15388 mantis-1.2.14-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. mantis-1.2.14-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |