MantisBT before 2.4.1 allows Permalink Injection via CSRF attacks on a permalink_page.php?url= URI. This is caused by a lack of a backslash check in string_api.php. Upstream bug: https://mantisbt.org/bugs/view.php?id=22909
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1454286]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.