View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026079 | mantisbt | security | public | 2019-08-25 07:27 | 2020-12-30 08:27 |
Reporter | dregad | Assigned To | atrol | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 1.3.19 | Fixed in Version | 1.3.19 | ||
Summary | 0026079: CVE-2019-15539: Stored XSS on Project Documentation | ||||
Description | This is a clone of 0026078 to track the issue in 1.3.x branch | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.3.x 796a327f 2019-08-25 01:52 Committer: dregad Details Diff |
Fix XSS on project documentation Vulnerability in deprecated project documentation functionality ($g_enable_project_documentation), allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. Prevent the attack by sanitizing the filename before display. Fixes 0026079 (clone of issue 0026078) (cherry picked from commit bd094dede74ff6e313e286e949e2387233a96eea) |
Affected Issues 0026078, 0026079 |
|
mod - proj_doc_edit_page.php | Diff File |