MantisBT: master-1.2.x 0bff06ec

Diff Back to Repository
Author Committer Branch Timestamp Parent
Paul Richards dregad master-1.2.x 2014-10-30 14:04 master-1.2.x 511564cc
Affected Issues  0017583: CVE-2014-9270: Stored XSS in Mantis
Changeset

Fix 0017583: XSS in projax_api.php

Offensive Security reported this issue via their bug bounty program [1].

The Projax library does not properly escape html strings. An attacker
could take advantage of this to perform an XSS attack using the
profile/Platform field.

[1] http://www.offensive-security.com/bug-bounty-program/

Signed-off-by: Damien Regad dregad@mantisbt.org
mod - core/projax_api.php Diff File