oss-security - CVE request: mantis before 1.2.3 (XSS)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-Id: <201009142306.07888.hanno@hboeck.de>
Date: Tue, 14 Sep 2010 23:06:07 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: mantis before 1.2.3 (XSS)

From release notes

"Issue #12312 covers an XSS vulnerability in the upstream NuSOAP library. 
The fix has been applied to the library included in MantisBT releases, 
and a patch has been submitted upstream for future releases of NuSOAP. 
See http://www.mantisbt.org/bugs/view.php?id=12312 for further details.

Also included with 1.2.3 are another round of XSS fixes to MantisBT, 
improved excel export, translation updates, and bug fixes to the SOAP 
API, installation, plugin system, and email notifications."

So although it's both xss, one is in mantis itself and one in the 
shipped/bundled nusoap, so we should have 2 CVEs.

-- 
Hanno Böck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@...eck.de

http://schokokeks.org - professional webhosting

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.