Bug 948977 (CVE-2013-1932)

Summary: CVE-2013-1932 mantis: XSS on the Configuration Report page
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, giallu, guillaume, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 15:11:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2013-04-05 15:06:00 UTC 
A cross-site scripting (XSS) flaw was found in the way MantisBT, a web-based issue tracking system, sanitized project name when displaying the project list for a particular filter. A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of the MantisBT user's session.

References:
[1] http://www.openwall.com/lists/oss-security/2013/04/04/8

Upstream ticket:
[2] http://www.mantisbt.org/bugs/view.php?id=15415

Upstream patch:
[3] http://github.com/mantisbt/mantisbt/commit/c61dc631b4c37547a25e1306ed90aa09e9e1b837 (against 1.2.x branch)

Introduced by:
[4] https://github.com/mantisbt/mantisbt/commit/e539dd68df6b5efa79869ba8f6a0427fb5aa7835
Comment 1 Jan Lieskovsky 2013-04-05 15:11:08 UTC 
This issue did NOT affect the versions of the mantis package, as shipped with Fedora release of 17, 18, and Fedora EPEL-5 (the former two already contain the upstream fix, the latter third one was not vulnerable to the problem).
Comment 2 Jan Lieskovsky 2013-04-09 09:57:50 UTC 
The CVE identifier of CVE-2013-1932 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/06/4