View Issue Details

IDProjectCategoryView StatusLast Update
0027779mantisbtsecuritypublic2020-12-30 12:05
Reporteratrol Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls
Description

There are several calls to helper_ensure_confirmed() that output unsanitized user data, which could potentially lead to XSS attacks.

Occurrences were identified in the following scripts, with the origin of potential attack as indicated:

  • manage_config_revert.php -- Project name
  • manage_custom_field_update.php -- Custom Field name
  • manage_filter_delete.php -- Saved Filter name
  • manage_proj_user_remove.php -- Username
  • manage_user_delete.php -- Username
  • manage_user_proj_delete.php -- Project name
Additional Information

Originally reported by @atrol in 0027768:0064811

TagsNo tags attached.

Relationships

related to 0027768 closeddregad When deleting a project, there should be information of how many (if any) issues are affected 

Activities

dregad

dregad

2020-12-19 19:32

developer   ~0064815

CVE Request 1003887 sent

dregad

dregad

2020-12-20 12:02

developer   ~0064819

CVE-2020-35571 assigned

Related Changesets

MantisBT: master-2.24 f6502be6

2020-12-19 12:27:48

dregad

Details Diff
Prevent XSS in helper_ensure_confirmed() calls

When the confirmation message references user-provided data, it needs
to be escaped prior to calling the function.

Fixes 0027779, CVE-2020-35571
Affected Issues
0027779
mod - manage_config_revert.php Diff File
mod - manage_custom_field_update.php Diff File
mod - manage_filter_delete.php Diff File
mod - manage_proj_user_remove.php Diff File
mod - manage_user_delete.php Diff File
mod - manage_user_proj_delete.php Diff File

MantisBT: master f6502be6

2020-12-19 12:27:48

dregad

Details Diff
Prevent XSS in helper_ensure_confirmed() calls

When the confirmation message references user-provided data, it needs
to be escaped prior to calling the function.

Fixes 0027779, CVE-2020-35571
Affected Issues
0027779
mod - manage_config_revert.php Diff File
mod - manage_custom_field_update.php Diff File
mod - manage_filter_delete.php Diff File
mod - manage_proj_user_remove.php Diff File
mod - manage_user_delete.php Diff File
mod - manage_user_proj_delete.php Diff File

MantisBT: master-2.24 6c3482d0

2020-12-19 12:50:40

dregad

Details Diff
Use parameterized string for confirmation messages

Previously, the confirmation message was built manually in several
places throughout the code, concatenating strings with variables.

We now use a string with parameters, which is fed to sprintf prior to
display. This gives translators more control to over the final message,
and allows removing now-unused $s_in_project string.

Updated strings:
- $s_confirm_custom_field_deletion
- $s_confirm_used_custom_field_deletion
- $s_confirm_custom_field_unlinking
- $s_config_delete_sure
- $s_confirm_file_delete_msg
- $s_delete_account_sure_msg
- $s_query_delete_msg
- $s_remove_user_sure_msg
- $s_version_delete_sure

Issue 0027779
Affected Issues
0027779
mod - lang/strings_english.txt Diff File
mod - manage_config_revert.php Diff File
mod - manage_custom_field_delete.php Diff File
mod - manage_filter_delete.php Diff File
mod - manage_proj_custom_field_remove.php Diff File
mod - manage_proj_user_remove.php Diff File
mod - manage_proj_ver_delete.php Diff File
mod - manage_user_delete.php Diff File
mod - manage_user_proj_delete.php Diff File
mod - proj_doc_delete.php Diff File

MantisBT: master 4d5023bc

2020-12-30 12:05:11

dregad

Details Diff
Fix typos in language strings

Per @Nikerabbit's feedback in 6c3482d009da931f43276d192bf66799402836bd.

- remove space before `?`
- remove unnecessary `:`
- typo in $s_remove_user_sure_msg

Issue 0027779
Affected Issues
0027779
mod - lang/strings_english.txt Diff File