View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0012370 | mantisbt | security | public | 2010-09-18 19:12 | 2012-09-16 17:21 |
| Reporter | giallu | Assigned To | giallu | ||
| Priority | immediate | Severity | crash | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.1.8 | ||||
| Fixed in Version | 1.1.9 | ||||
| Summary | 0012370: Multiple XSS issues with custom field enumeration values | ||||
| Description | MantisBT administrators (who can configure custom fields) can place malicious Javascript within the options they define for custom field enumeration/checkbox/radio/etc field types. These HTML-unsafe options are then printed to users throughout MantisBT (report, update, view, etc) without sanitisation. This is low risk due to the need to be a MantisBT administrator to configure custom field values. Rather than being a pure security risk, this is more a case of allowing more characters to be used safely within custom field options. | ||||
| Tags | No tags attached. | ||||
