MantisBT: master 9ef8f23a

Author Committer Branch Timestamp Parent
dregad dregad master 2020-06-22 06:55:46 master-2.24 2fc66610
Affected Issues  0027056: CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php
Changeset

Fix XSS in view_all_bug_page.php (CVE-2020-16266)

Hanno Boeck reported a stored cross-site scripting (XSS) vulnerability,
originally discovered by Jaime Andres Restrepo.

Improper escaping on view_all_bug_page.php allowed a remote attacker to
inject arbitrary HTML into the page by saving it into a text Custom
Field, leading to possible code execution in the browser of any user
subsequently viewing the issue (if CSP settings allow it).

Prevent the attack by properly escaping the custom field's contents
before display.

Fixes 0027056

mod - core/filter_form_api.php Diff File