View Issue Details

IDProjectCategoryView StatusLast Update
0023175mantisbtsecuritypublic2017-09-03 18:41
Reporterdregad Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.11 
Target Version1.3.12Fixed in Version1.3.12 
Summary0023175: CVE-2017-12061: XSS in /admin/install.php script
Description

This is a clone of 0023146 to track the fix in 1.3.x branch.

TagsNo tags attached.

Relationships

child of 0023146 closeddregad CVE-2017-12061: XSS in /admin/install.php script 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x 17f9b94f

2017-08-01 07:00:04

dregad

Details Diff
Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146

Backported from c73ae3d3d4dd4681489a9e697e8ade785e27cba5
Affected Issues
0023146, 0023175
mod - admin/install.php Diff File