It was reported [1],[2] that an XSS flaw in Mantis' account_sponsor_page.php existed, where project names were not properly sanitized. This could lead to the execution of malicious javascript when visiting that page if a malicious user had project manager permissions. This exists in all versions of Mantis from 1.0.0 to 1.2.15 and is corrected in 1.2.16. A patch for 1.2.x is available [3]. [1] http://www.mantisbt.org/bugs/view.php?id=16513 [2] http://seclists.org/oss-sec/2013/q4/152 [3] https://github.com/mantisbt/mantisbt/commit/ad929d486bad460e9bd23eeec1e1e4bf828b7cb4
mantis-1.2.15-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.15-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.2.15-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.