0016513: CVE-2013-4460: XSS in account_sponsor_page.php project names

ID	Project	Category	View Status	Date Submitted	Last Update
0016513	mantisbt	security	public	2013-10-19 14:35	2014-12-22 08:23

Reporter	atrol	Assigned To	atrol
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.15
Target Version	1.2.16	Fixed in Version	1.2.16

Summary	0016513: CVE-2013-4460: XSS in account_sponsor_page.php project names
Description	account_sponsor_page.php.php does not correctly sanitise project names. It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.
Tags	No tags attached.

MantisBT: master 0002d106 2013-10-19 10:36 atrol Details Diff	Fix 0016513: XSS in account_sponsor_page.php project names account_sponsor_page.php.php does not correctly sanitise project names. It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.	Affected Issues 0016513
	mod - account_sponsor_page.php	Diff File
MantisBT: master-1.2.x ad929d48 2013-10-19 10:36 atrol Committer: dregad Details Diff	Fix 0016513: XSS in account_sponsor_page.php project names account_sponsor_page.php.php does not correctly sanitise project names. It is thus possible for a malicious user with project manager access permissions (or higher) to let users execute malicious JavaScript when visiting account_sponsor_page.php.	Affected Issues 0016513
	mod - account_sponsor_page.php	Diff File

dregad 2013-10-21 17:57 developer ~0038323	Security issues should be backported to 1.2

dregad 2013-10-31 19:51 developer ~0038408	CVE assigned http://thread.gmane.org/gmane.comp.security.oss.general/11351/focus=11367