0008756: "Most active bugs" summary XSS vulnerability

ID	Project	Category	View Status	Date Submitted	Last Update
0008756	mantisbt	security	public	2008-01-16 16:15	2008-01-27 17:45

Reporter	Borszczuk	Assigned To	giallu
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.1.0
Fixed in Version	1.1.1

Summary	0008756: "Most active bugs" summary XSS vulnerability
Description	I disabled all HTML tags using g_html_valid_tags but still, on the "Most Active" on "Summary" screen tags are not escaped as expected.
Tags	No tags attached.

Borszczuk 2008-01-16 16:15 reporter ~0016680 Last edited: 2008-01-16 16:16	See bug 0008723 for additional details

giallu 2008-01-16 18:42 reporter ~0016684	Actually, it does not need to take into account g_html_valid_tags, but just avoid showing them as is: this is an XSS vector so I'm moving the bug to the correct category

giallu 2008-01-16 18:51 reporter ~0016685	Also fixed in trunk

giallu 2008-01-27 17:45 reporter ~0016854	Security advisories: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0404 http://secunia.com/advisories/28577/

MantisBT: master-1.1.x fabe3938 2008-01-16 18:43 giallu Details Diff	Fix 8756: "Most active bugs" summary XSS vulnerability git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@4896 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9	Affected Issues 0008756
	mod - core/summary_api.php	Diff File
MantisBT: master 294d34c3 2008-01-16 18:50 giallu Details Diff	Fix 8756: "Most active bugs" summary XSS vulnerability git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4897 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9	Affected Issues 0008756
	mod - core/summary_api.php	Diff File