View Issue Details

IDProjectCategoryView StatusLast Update
0023175mantisbtsecuritypublic2017-09-03 18:41
ReporterdregadAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.11 
Target Version1.3.12Fixed in Version1.3.12 
Summary0023175: CVE-2017-12061: XSS in /admin/install.php script
Description

This is a clone of 0023146 to track the fix in 1.3.x branch.

TagsNo tags attached.

Relationships

child of 0023146 closeddregad CVE-2017-12061: XSS in /admin/install.php script 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.3.x 17f9b94f

2017-08-01 07:00:04

dregad

Details Diff
Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146

Backported from c73ae3d3d4dd4681489a9e697e8ade785e27cba5
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2017-08-01 08:04 dregad New Issue
2017-08-01 08:04 dregad Status new => assigned
2017-08-01 08:04 dregad Assigned To => dregad
2017-08-01 08:04 dregad Issue generated from: 0023146
2017-08-01 08:04 dregad Relationship added related to 0023146
2017-08-01 09:09 dregad Relationship replaced child of 0023146
2017-08-01 09:19 dregad Changeset attached => MantisBT master-1.3.x 17f9b94f
2017-08-01 09:19 dregad Status assigned => resolved
2017-08-01 09:19 dregad Resolution open => fixed
2017-08-01 09:19 dregad Fixed in Version => 1.3.12
2017-08-01 09:23 dregad View Status private => public
2017-08-06 07:17 atrol Category installation => security
2017-09-03 18:41 vboctor Status resolved => closed