View Issue Details

IDProjectCategoryView StatusLast Update
0012230mantisbtsecuritypublic2015-03-15 20:07
ReporterjreeseAssigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012230: CVE-2010-2574: XSS vulnerability when deleting maliciously named categories
Description

As reported by Secunia, SA40832, there is an XSS vulnerability when deleting categories that have been maliciously named. Chance of attack is extremely low due to requiring project manager access.

Additional Information

Official Secunia announcement: http://secunia.com/advisories/40832/

TagsNo tags attached.

Relationships

related to 0012231 closeddhx XSS vulnerability when uninstalling maliciously named plugins 
related to 0012369 closedgiallu CVE-2010-2574: XSS vulnerability when deleting maliciously named categories 

Activities

dhx

dhx

2010-08-04 09:28

reporter   ~0026211

All fixed, thanks John :)

jreese

jreese

2010-08-05 18:13

reporter   ~0026236

Last edited: 2010-08-05 18:21

View 2 revisions

Official Secunia announcement: http://secunia.com/advisories/40832/

oberger

oberger

2010-09-04 17:31

reporter   ~0026578

For future reference, this is also CVE-2010-2574 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574)

Related Changesets

MantisBT: master 083c34f0

2010-08-04 13:17:54

dhx

Details Diff
Fix 0012230: XSS vulnerability when deleting maliciously named categories

As reported by Secunia, SA40832, there is an XSS vulnerability when
deleting project categories that have been maliciously named. The chance
of attack is low due to requiring project manager access to create
malicious project categories in the first place.

Thanks to John Reese for debugging this issue.
Affected Issues
0012230
mod - manage_proj_cat_delete.php Diff File

MantisBT: master-1.2.x a374a7c9

2010-08-04 13:17:54

dhx

Details Diff
Fix 0012230: XSS vulnerability when deleting maliciously named categories

As reported by Secunia, SA40832, there is an XSS vulnerability when
deleting project categories that have been maliciously named. The chance
of attack is low due to requiring project manager access to create
malicious project categories in the first place.

Thanks to John Reese for debugging this issue.
Affected Issues
0012230
mod - manage_proj_cat_delete.php Diff File

Issue History

Date Modified Username Field Change
2010-08-04 09:13 jreese New Issue
2010-08-04 09:13 jreese Status new => assigned
2010-08-04 09:13 jreese Assigned To => dhx
2010-08-04 09:15 jreese Issue cloned: 0012231
2010-08-04 09:15 jreese Relationship added related to 0012231
2010-08-04 09:28 dhx Changeset attached => MantisBT master 083c34f0
2010-08-04 09:28 dhx Changeset attached => MantisBT master-1.2.x a374a7c9
2010-08-04 09:28 dhx Resolution open => fixed
2010-08-04 09:28 dhx Fixed in Version => 1.2.3
2010-08-04 09:28 dhx Note Added: 0026211
2010-08-04 09:28 dhx Status assigned => resolved
2010-08-04 09:28 dhx Fixed in Version 1.2.3 =>
2010-08-04 09:29 dhx Fixed in Version => 1.2.3
2010-08-05 18:13 jreese Note Added: 0026236
2010-08-05 18:21 jreese Note Edited: 0026236 View Revisions
2010-08-05 18:22 jreese Additional Information Updated View Revisions
2010-08-05 18:37 dhx View Status private => public
2010-09-04 17:31 oberger Note Added: 0026578
2010-09-18 17:32 giallu Issue cloned: 0012369
2010-09-18 17:32 giallu Relationship added related to 0012369
2011-08-02 12:35 dregad Status resolved => closed
2015-03-15 20:07 dregad Assigned To dhx =>
2015-03-15 20:07 dregad Summary XSS vulnerability when deleting maliciously named categories => CVE-2010-2574: XSS vulnerability when deleting maliciously named categories