CVE-2014-9269

NameCVE-2014-9269
DescriptionCross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3120-1
NVD severitylow (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mantis (PTS)wheezy1.2.18-1fixed
wheezy (security)1.2.18-1+deb7u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mantissource(unstable)(unfixed)low
mantissourcesqueeze(unfixed)end-of-life
mantissourcewheezy1.2.18-1lowDSA-3120-1

Notes

[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
http://github.com/mantisbt/mantisbt/commit/511564cc
http://www.mantisbt.org/bugs/view.php?id=17890

Search for package or bug name: Reporting problems