version 595510 1.2.x forwarded 595510 http://www.mantisbt.org/bugs/view.php?id=12312 thanks
Hi, I tested this issue under version 1.1.6+dfsg-2lenny1 (lenny), 1.1.8+dfsg-5 (sid) and 1.2.1-1 (being packaged, soon in experimental), so I am reassigning this issue to version 1.2.x This bug does not affect current distributed packages under Debian. Please let me know if further steps should be taken. (Not sure if it's admitted to assign this bug to a version that's is not already in the repository, but anyway it will exists soon. I don't want this issue to prevent mantis to be candidate for squeeze.) Thanks to all, Ps: Michael, thanks to be aware. Michael Gilbert wrote: > Package: mantis > Version: 1.1.8+dfsg-5 > Severity: serious > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for mantis. After a quick search, I couldn't find enough info > to be able to check whether this affects older versions. Please check. > > CVE-2010-2574[0]: > | Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in > | MantisBT 1.2.2 allows remote authenticated administrators to inject > | arbitrary web script or HTML via the name parameter in an Add Category > | action. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574 > http://security-tracker.debian.org/tracker/CVE-2010-2574 > > >
signature.asc
Description: OpenPGP digital signature
