mantis
- Author: Miklos Vajna
- Vulnerable: 1.2.7-1mores1
- Unaffected: 1.2.8-1mores1
Some vulnerabilities have been reported in MantisBT, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information and by malicious users to compromise a vulnerable system.
-
Certain input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
-
Input passed to the “action” parameter in bug_actiongroup_ext_page.php and bug_actiongroup_page.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
Note: In combination with MantisBT’s file upload functionality, this can be exploited to execute arbitrary PHP code.
- Input passed to the “os”, “os_build”, and “platform” parameters in bug_report_page.php and bug_update_advanced_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site.
- Bug Tracker URL: http://bugs.frugalware.org/task/4586