oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: mantis before 1.2.

Re: [oss-security] CVE request: mantis before 1.2.3 (XSS)

From: Kurt Seifried <kurt_at_nospam>
Date: Tue Sep 14 2010 - 23:20:10 GMT
To: oss-security@lists.openwall.com

On Tue, Sep 14, 2010 at 3:09 PM, Hanno Bck <hanno@hboeck.de> wrote:
> Addition:
> http://www.mantisbt.org/bugs/changelog_page.php?version_id=111
> lists six different xss issues.

The first two of which have CVE #'s

CVE-2010-3070
- 0012312: [security] NuSOAP WSDL XSS (cross-site scripting
vulnerability) in Mantis 1.2.2 (dhx) - resolved.

CVE-2010-2574
- 0012230: [security] XSS vulnerability when deleting maliciously
named categories (dhx) - resolved.

These four have no CVE #:
- 0012231: [security] XSS vulnerability when uninstalling maliciously
named plugins (dhx) - resolved.
- 0012232: [security] Multiple XSS issues with custom field
enumeration values (dhx) - resolved.
- 0012234: [security] XSS issues when using custom field String values
(dhx) - resolved.
- 0012238: [security] XSS in print_all_bug_page_word.php when printing
project and category names (dhx) - resolved.

-- Kurt Seifried kurt@seifried.org tel: 1-703-879-3176