View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027304 | mantisbt | security | public | 2020-09-21 00:44 | 2020-09-25 14:53 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Windows | OS Version | Windows |
Product Version | 2.24.2 | ||||
Target Version | 2.24.3 | Fixed in Version | 2.24.3 | ||
Summary | 0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php | ||||
Description | A crafted custom field name may be used to inject HTML into | ||||
Steps To Reproduce |
bug_actiongroup_page.php opens, and and you see a rendered input field, with value of Look I Injected this (see attached screenshot poc.png) | ||||
Additional Information | None | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Will look into it. BTW I'm just about to release 2.24.3 so I'd like to know if I should defer that and wait for you to complete your pen test in expectation of further security reports, or if you're done and I can go ahead (after fixing this one of course)... |
|
Please check this issue first then I will stop the pentest for the current version... If this worth checking please pause the releasing of next version but if not please continue to release it.. |
|
Bug confirmed. |
|
@d3vpoo1 In reply to 0027304:0064465, I'm not sure you understood what I meant. Cutting a new release requires work, so I would rather avoid publishing 2.24.3 (now or in a few days), while you continue to search for vulnerabilities and would potentially submit more security issues, that would require me to cut 2.24.4 just a few days after. So the question is, again, did you complete your pentest, or are you still running it and should we expect more findings in the coming days ? If not, I'll release 2.24.3 now, and if yes I'll wait until you tell me you're done, so I can do a single, bigger release with all the required fixes for your upcoming bug reports. |
|
Apologize, I decide to stop my testing (already finish) |
|
CVE Request 963152 sent. See proposed fix in attached patch. 0001-Fix-XSS-in-bug_actiongroup_page.php.patch (1,225 bytes)
From cc69f7f43744d037b201b05a4610022189e99d87 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Wed, 23 Sep 2020 18:36:32 +0200 Subject: [PATCH] Fix XSS in bug_actiongroup_page.php Improper escaping of the custom field's name allowed an attacker to inject HTML into the page. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding. Fixes #27304 --- bug_actiongroup_page.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bug_actiongroup_page.php b/bug_actiongroup_page.php index cdebbf49e..2610ab9cb 100644 --- a/bug_actiongroup_page.php +++ b/bug_actiongroup_page.php @@ -225,7 +225,9 @@ switch( $f_action ) { break; case 'CUSTOM' : $t_custom_field_def = custom_field_get_definition( $t_custom_field_id ); - $t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) ); + $t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), + string_attribute( lang_get_defaulted( $t_custom_field_def['name'] ) ) + ); $t_button_title = $t_question_title; $t_form = 'custom_field_' . $t_custom_field_id; $t_event_params['custom_field_id'] = $t_custom_field_id; -- 2.25.1 |
|
CVE-2020-25830 assigned |
|
MantisBT: master-2.24 8c6f4d88 2020-09-23 08:36 Details Diff |
Fix XSS in bug_actiongroup_page.php Improper escaping of the custom field's name allowed an attacker to inject HTML into the page. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding. Fixes 0027304 |
Affected Issues 0027304 |
|
mod - bug_actiongroup_page.php | Diff File |