Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <loom.20130408T114452-904@post.gmane.org>
Date: Mon, 8 Apr 2013 09:47:13 +0000 (UTC)
From: Damien Regad <damien.regad@...ckgroup.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple CVE requests for MantisBT

Kurt Seifried <kseifried@...> writes:
> Please use CVE-2013-1930 for this issue.

Hi Kurt,

Thanks for assigning the 3 CVE's.

> > 4. XSS issue on Configuration Report page when displaying complex
> > value
> > 
> > This issue affects Mantis 1.2.0rc1 and later.
> > 
> > Lack of proper string escaping allows users (having admin access)
> > to enter arbitrary javascript code and have it executed on the
> > user's browser.
> > 
> > Reference: http://www.mantisbt.org/bugs/view.php?id=15416
> 
> Does this count as a proper release or does it fall into the "beta"
> classification?

1.2.0rc1 was a beta release. 
The first "proper" release affected by this was 1.2.0

Hope this clarifies, let me know if you need more info.

Damien


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.