An XSS flaw has been reported against NuSOAP (original report against Mantis) [1] http://www.mantisbt.org/bugs/view.php?id=12312 Report against NuSOAP: [2] http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 David Hicks of Mantis community provided a temporary fix: [3] http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=edb817991b99cd5538f102be26865fde7c6b7212 till the issue is addressed on NuSOAP side. The versions of php-nusoap packages, as shipped with Fedora release of 12 and 13 has been already updated: [4] https://bugzilla.redhat.com/show_bug.cgi?id=629585 [5] https://bugzilla.redhat.com/show_bug.cgi?id=629585#c2 [6] https://bugzilla.redhat.com/show_bug.cgi?id=629585#c3 But the versions of Mantis, as shipped with Fedora release of 12 and 13 are still prone to this issue (because it uses own embedded copy of the NuSOAP library and not the system one). Please fix this issue by making Mantis to use the system php-NuSOAP library, instead of his embbeded own copy.
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy in the bundled version of NuSOAP (and another few minor XSS issues). http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net http://sourceforge.net/projects/mantisbt/files/
Created mantis tracking bugs for this issue Affects: fedora-all [bug 634341]
The update was pushed lately (1.1.8-4), looks like something did not work with auto-closing and commenting.