A persistent cross-site scripting (XSS) flaw was found in the way Mantis, a web-based issue tracking system, performed sanitization of the 'match_type' parameter. A remote attacker could provide a specially-crafted URL that, when processed by Mantis instance, would lead to arbitrary web script or HTML execution. References: [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html Upstream bug report: [2] http://www.mantisbt.org/bugs/view.php?id=15373 Relevant patches (against 1.2.2 branch): [3] https://github.com/mantisbt/mantisbt/commit/bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf [4] https://github.com/mantisbt/mantisbt/commit/610da6ecda08239187bc12bf9bf35ba4d27f1920 Other references: [5] http://www.openwall.com/lists/oss-security/2013/01/18/1 [6] http://www.openwall.com/lists/oss-security/2013/01/18/8
This issue affects the versions of the mantis package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update. -- This issue did NOT affect the version of the mantis package, as shipped with Fedora EPEL 5.
Created mantis tracking bugs for this issue Affects: fedora-all [bug 902331]
Updated post from Damien Regad regarding this issue on OSS list (didn't reach the list yet. Please have a look at further details below): Kurt Seifried <kseifried@...> writes: > Please use CVE-2013-0197 for this issue. Hi Kurt, Thanks for creating the CVE; please take note of a small rectification on the original issue report: David Hicks <d <at> hx.id.au> writes: > Jakub Galczyk discovered[1][2] a cross site scripting (XSS) > vulnerability in *MantisBT 1.2.12 and earlier versions* This affects *only MantisBT version 1.2.12* (and the 'master' development branch after 15-Sep-2012), as earlier versions did not contain the commit introducing the 'match type' filtering feature [1]. It's also worth mentioning that a better patch for the vulnerability is available under follow-up issue #15388 [2] Damien Regad MantisBT developer [1] 1.2.x branch: https://github.com/mantisbt/mantisbt/commit/5b491868 master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72 [2] http://www.mantisbt.org/bugs/view.php?id=15388
mantis-1.2.14-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.14-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.