Upstream MantisBT has released [1] version 1.2.3 which corrects a number of XSS flaws. Two already have CVE names: CVE-2010-3070 and CVE-2010-2574. There are an additional four issues currently without CVE names. From the changelog [1]: - 0012312: [security] NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2 (CVE-2010-3070) - 0012230: [security] XSS vulnerability when deleting maliciously named categories (CVE-2010-2574) - 0012231: [security] XSS vulnerability when uninstalling maliciously named plugins - 0012232: [security] Multiple XSS issues with custom field enumeration values - 0012234: [security] XSS issues when using custom field String values - 0012238: [security] XSS in print_all_bug_page_word.php when printing project and category names [1] http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net [2] http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.3
Created mantis tracking bugs for this issue Affects: fedora-all [bug 634341]
The four issues without CVE names have been given the name CVE-2010-3303.
The update was pushed lately, looks like something did not work with auto-closing.