CVE-2014-9269

NameCVE-2014-9269
DescriptionCross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3120-1
NVD severitylow (attack range: remote)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mantissource(unstable)(unfixed)low
mantissourcesqueeze(unfixed)end-of-life
mantissourcewheezy1.2.18-1lowDSA-3120-1

Notes

[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
http://github.com/mantisbt/mantisbt/commit/511564cc
http://www.mantisbt.org/bugs/view.php?id=17890

Search for package or bug name: Reporting problems