View Issue Details

IDProjectCategoryView StatusLast Update
0016513mantisbtsecuritypublic2014-12-22 08:23
Reporteratrol Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.15 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016513: CVE-2013-4460: XSS in account_sponsor_page.php project names
Description

account_sponsor_page.php.php does not correctly sanitise project names.
It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.

TagsNo tags attached.

Activities

dregad

dregad

2013-10-21 17:57

developer   ~0038323

Security issues should be backported to 1.2

dregad

dregad

2013-10-31 19:51

developer   ~0038408

CVE assigned http://thread.gmane.org/gmane.comp.security.oss.general/11351/focus=11367

Related Changesets

MantisBT: master 0002d106

2013-10-19 10:36

atrol


Details Diff
Fix 0016513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project
names. It is thus possible for a malicious user with project
manager access permissions (or higher) to let users execute
malicious JavaScript when visiting account_sponsor_page.php.
Affected Issues
0016513
mod - account_sponsor_page.php Diff File

MantisBT: master-1.2.x ad929d48

2013-10-19 10:36

atrol

Committer: dregad


Details Diff
Fix 0016513: XSS in account_sponsor_page.php project names

account_sponsor_page.php.php does not correctly sanitise project
names. It is thus possible for a malicious user with project
manager access permissions (or higher) to let users execute
malicious JavaScript when visiting account_sponsor_page.php.
Affected Issues
0016513
mod - account_sponsor_page.php Diff File