View Issue Details

IDProjectCategoryView StatusLast Update
0026079mantisbtsecuritypublic2020-12-30 08:27
Reporterdregad Assigned Toatrol  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version1.3.19Fixed in Version1.3.19 
Summary0026079: CVE-2019-15539: Stored XSS on Project Documentation
Description

This is a clone of 0026078 to track the issue in 1.3.x branch

TagsNo tags attached.

Relationships

duplicate of 0026078 closedatrol CVE-2019-15539: Stored XSS on Project Documentation 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x 796a327f

2019-08-25 01:52

atrol

Committer: dregad


Details Diff
Fix XSS on project documentation

Vulnerability in deprecated project documentation functionality
($g_enable_project_documentation), allowing execution of arbitrary
code (if CSP settings permit it) after uploading an attachment with a
crafted filename.

Prevent the attack by sanitizing the filename before display.

Fixes 0026079 (clone of issue 0026078)

(cherry picked from commit bd094dede74ff6e313e286e949e2387233a96eea)
Affected Issues
0026078, 0026079
mod - proj_doc_edit_page.php Diff File