National Cyber Awareness System

Vulnerability Summary for CVE-2011-3356

Overview

Multiple cross-site scripting (XSS) vulnerabilities in config_defaults_inc.php in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO, as demonstrated by the PATH_INFO to (1) manage_config_email_page.php, (2) manage_config_workflow_page.php, or (3) bugs/plugin.php.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034

Type: Patch Information

Hyperlink:https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=735514

Type: Patch Information; Exploit

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=735514

External Source: FEDORA

Name: FEDORA-2011-12369

Type: Patch Information; Exploit

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066061.html

External Source: CONFIRM

Name: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297

Type: Patch Information; Exploit

Hyperlink:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297

External Source: MISC

Name: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

Hyperlink:https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

External Source: XF

Name: mantisbt-unspecified-xss(69587)

Hyperlink:http://xforce.iss.net/xforce/xfdb/69587

External Source: BID

Name: 49448

Hyperlink:http://www.securityfocus.com/bid/49448

External Source: BUGTRAQ

Name: 20110905 Multiple vulnerabilities in MantisBT

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/519547/100/0/threaded

External Source: MLIST

Name: [oss-security] 20110909 Re: CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)

Hyperlink:http://www.openwall.com/lists/oss-security/2011/09/09/9

External Source: MLIST

Name: [oss-security] 20110904 CVE requests: <mantisbt-1.2.8 multiple vulnerabilities (1xLFI+XSS, 2xXSS)

Hyperlink:http://www.openwall.com/lists/oss-security/2011/09/04/1

External Source: CONFIRM

Name: http://www.mantisbt.org/bugs/view.php?id=13281

Hyperlink:http://www.mantisbt.org/bugs/view.php?id=13281

External Source: CONFIRM

Name: http://www.mantisbt.org/bugs/view.php?id=13191

Hyperlink:http://www.mantisbt.org/bugs/view.php?id=13191

External Source: SREASON

Name: 8392

Hyperlink:http://securityreason.com/securityalert/8392

External Source: MLIST

Name: [debian-security-tracker] 20110908 Security Fix for mantis stable 1.1.8

Hyperlink:http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html