View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022742 | mantisbt | security | public | 2017-04-18 10:35 | 2017-04-30 14:48 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.3.0 | ||||
Target Version | 2.3.2 | Fixed in Version | 2.3.2 | ||
Summary | 0022742: CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) | ||||
Description |
Yes, we have a CSP policy in place, but it can be disabled optionally per application config, and does not include prefixed headers so IE 10/11 would be susceptible as they use X-Content-Security-Policy according to CanIUse. | ||||
Steps To Reproduce | Navigate to
| ||||
Additional Information | Initially reported by user quantumpacket in https://github.com/mantisbt/mantisbt/pull/1094 | ||||
Tags | No tags attached. | ||||
MantisBT: master-2.3 a1c71931 2017-04-18 07:49 Details Diff |
Fix XSS in timeline_inc.php Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker to inject arbitrary JavaScript as part of the URL. Using SCRIPT_NAME and passing it through string_sanitize_url() instead prevents the attack. Fixes 0022742 Fixes https://github.com/mantisbt/mantisbt/pull/1094 |
Affected Issues 0022742 |
|
mod - core/timeline_inc.php | Diff File |