It was reported [1] that the MantisBT Configuration Report (adm_config_report.php) did not properly sanitize the form variables used when saving a filter, allowing an attacker to embed JavaScript code which would be executed in the client's browser when displaying the page. Affected versions: - >= 1.2.13 - 1.3.0-beta.1 Fixed in versions: - 1.2.20 (not yet released) - 1.3.0-beta.2 (not yet released) Patch: See Github [1] Further details will be available in MantisBT issue tracker [2] once this goes public. [1] https://github.com/mantisbt/mantisbt/commit/6defeed5 (1.2.x) https://github.com/mantisbt/mantisbt/commit/3c6f6e56 (1.3.x) [2] https://www.mantisbt.org/bugs/view.php?id=19301
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1191133] Affects: epel-all [bug 1191134]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.