A cross-site scripting (XSS) flaw was found in the way Mantis, a web-based issue tracking system, performed sanitization of category / project names in the summary page. A Mantis user with manager / administrator privilege could create category or project with specially-crafted name that, when visited would lead to arbitrary web script or HTML code execution. References: [1] http://www.openwall.com/lists/oss-security/2013/01/18/10 Upstream bug report: [2] http://www.mantisbt.org/bugs/view.php?id=15384 Relevant patch: [3] https://github.com/mantisbt/mantisbt/commit/7df30a9ee703f4d48e6ef8df078cff3a6029c5b9
This issue affects the versions of the mantis package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update. -- This issue did not affect the version of the mantis package, as shipped with Fedora EPEL 5 (issue is upstream 1.2.12 version specific).
Created mantis tracking bugs for this issue Affects: fedora-all [bug 902331]
mantis-1.2.14-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.14-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.