Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1292381657.1716.207.camel@hydrus>
Date: Wed, 15 Dec 2010 13:54:17 +1100
From: David Hicks <hickseydr@...usnet.com.au>
To: oss-security@...ts.openwall.com
Subject: CVE request: MantisBT <=1.2.3 (db_type) Cross-Site Scripting &
 Path Disclosure Vulnerability

This is a CVE request for a vulnerability discovered in MantisBT <1.2.4
by Gjoko Krstic of Zero Science Lab as per the following advisory:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php

MantisBT 1.2.4 has been released to resolve this issue.

For distributions or users using MantisBT 1.1.x, the following patch can
be applied:
http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590

Please note that MantisBT 1.1.x is not recommended for use due to many
security improvements and features implemented in MantisBT 1.2.x (but
not backported to 1.1.x).

Detailed information about this vulnerability can be found in this bug
report: http://www.mantisbt.org/bugs/view.php?id=12607

Regards,

David Hicks
MantisBT Developer
mantisbt.org, #mantishelp freenode

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.