View Issue Details

IDProjectCategoryView StatusLast Update
0024814mantisbtsecuritypublic2018-10-27 16:22
ReporteratrolAssigned Toatrol 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.17.2Fixed in Version2.17.2 
Summary0024814: CVE-2018-17783: XSS in manage_filter_edit_page.php
Description

Project Name is printed on manage_filter_edit_page.php without being sanitized.

TagsNo tags attached.

Activities

atrol

atrol

2018-09-29 05:36

developer  

24814-XSS-manage_filter_edit_page.patch (1,786 bytes)
From 2fa781fa93c52f854f88e0a0123da13e94528473 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Sat, 29 Sep 2018 11:33:47 +0200
Subject: [PATCH] Fix XSS in manage_filter_edit_page

Fixes #24814
---
 manage_filter_edit_page.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manage_filter_edit_page.php b/manage_filter_edit_page.php
index 9478d059c..ddb6fddb8 100644
--- a/manage_filter_edit_page.php
+++ b/manage_filter_edit_page.php
@@ -185,14 +185,14 @@ $t_filter_project_id = filter_get_field( $f_filter_id, 'project_id' );
 								<?php if( ALL_PROJECTS != $t_filter_project_id ) { ?>
 								<label>
 									<input type="radio" class="ace input-sm" name="filter_project_id" value="<?php echo $t_filter_project_id ?>" <?php check_checked( ALL_PROJECTS != $t_filter_project_id ) ?>>
-									<span class="lbl padding-6"><?php echo lang_get( 'stored_project' ) . ' (' . project_get_name( $t_filter_project_id ) . ')' ?></span>
+									<span class="lbl padding-6"><?php echo lang_get( 'stored_project' ) . ' (' . string_display_line( project_get_name( $t_filter_project_id ) ) . ')' ?></span>
 								</label>
 								<br>
 								<?php } ?>
 								<?php if( $t_filter_project_id != $t_current_project_id ) { ?>
 								<label>
 									<input type="radio" class="ace input-sm" name="filter_project_id" value="<?php echo $t_current_project_id ?>">
-									<span class="lbl padding-6"><?php echo lang_get( 'current_project' ) . ' (' . project_get_name( $t_current_project_id ) . ')' ?></span>
+									<span class="lbl padding-6"><?php echo lang_get( 'current_project' ) . ' (' . string_display_line( project_get_name( $t_current_project_id ) ) . ')' ?></span>
 								</label>
 								<?php } ?>
 							</td>
-- 
2.19.0

atrol

atrol

2018-09-29 12:11

developer   ~0060702

CVE Request 577429 sent to MITRE

atrol

atrol

2018-09-29 15:34

developer   ~0060704

CVE-2018-17783 assigned

vboctor

vboctor

2018-09-29 18:24

manager   ~0060706

Looks good.

dregad

dregad

2018-09-30 07:03

developer   ~0060709

I'm OK with the patch for both 0024813 and 0024814, I confirm it addresses the vulnerability.

@atrol, thanks for going through the whole process including CVE request. As a side note, a single CVE ID for both issues would probably have been sufficient in this case, as it's the same error on both pages.

Related Changesets

MantisBT: master-2.17 b9453cd7

2018-09-29 05:33:47

atrol

Details Diff
Fix XSS in manage_filter_edit_page

Fixes 0024814
Affected Issues
0024814
mod - manage_filter_edit_page.php Diff File

Issue History

Date Modified Username Field Change
2018-09-29 04:58 atrol New Issue
2018-09-29 04:58 atrol Status new => assigned
2018-09-29 04:58 atrol Assigned To => atrol
2018-09-29 05:36 atrol File Added: 24814-XSS-manage_filter_edit_page.patch
2018-09-29 05:45 atrol Product Version => 2.1.0
2018-09-29 12:11 atrol Note Added: 0060702
2018-09-29 15:34 atrol Summary XSS in manage_filter_edit_page.php => CVE-2018-17783: XSS in manage_filter_edit_page.php
2018-09-29 15:34 atrol Note Added: 0060704
2018-09-29 18:24 vboctor Note Added: 0060706
2018-09-30 07:03 dregad Note Added: 0060709
2018-09-30 07:05 dregad Target Version => 2.17.2
2018-10-01 05:09 atrol Changeset attached => MantisBT master-2.17 b9453cd7
2018-10-01 05:09 atrol Status assigned => resolved
2018-10-01 05:09 atrol Resolution open => fixed
2018-10-01 05:10 atrol Fixed in Version => 2.17.2
2018-10-16 23:41 vboctor Status resolved => closed
2018-10-27 16:22 atrol View Status private => public