A cross-site scripting (XSS) flaw was found in the way MantisBT, a web-based issue tracking system, sanitized project name when displaying the project list for a particular filter. A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of the MantisBT user's session. References: [1] http://www.openwall.com/lists/oss-security/2013/04/04/8 Upstream ticket: [2] http://www.mantisbt.org/bugs/view.php?id=15415 Upstream patch: [3] http://github.com/mantisbt/mantisbt/commit/c61dc631b4c37547a25e1306ed90aa09e9e1b837 (against 1.2.x branch) Introduced by: [4] https://github.com/mantisbt/mantisbt/commit/e539dd68df6b5efa79869ba8f6a0427fb5aa7835
This issue did NOT affect the versions of the mantis package, as shipped with Fedora release of 17, 18, and Fedora EPEL-5 (the former two already contain the upstream fix, the latter third one was not vulnerable to the problem).
The CVE identifier of CVE-2013-1932 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/06/4