Re: Re: Multiple CVE requests for MantisBT

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/08/2013 11:00 AM, Kurt Seifried wrote:
> On 04/08/2013 03:47 AM, Damien Regad wrote:
> > Kurt Seifried <kseifried@...> writes:
> > > Please use CVE-2013-1930 for this issue.
>
> > Hi Kurt,
>
> > Thanks for assigning the 3 CVE's.
>
> > > > 4. XSS issue on Configuration Report page when displaying 
> > > > complex value
> > > >
> > > > This issue affects Mantis 1.2.0rc1 and later.
> > > >
> > > > Lack of proper string escaping allows users (having admin 
> > > > access) to enter arbitrary javascript code and have it
> > > > executed on the user's browser.
> > > >
> > > > Reference: http://www.mantisbt.org/bugs/view.php?id=15416
> > >
> > > Does this count as a proper release or does it fall into the 
> > > "beta" classification?
>
> > 1.2.0rc1 was a beta release. The first "proper" release affected
> > by this was 1.2.0
>
> Ok not assigning a CVE then, unless there are a large number of
> users betas don't get CVEs.

Steve just pointed out I may have misread this. Is 1.2.0 vulnerable,
and this is fixed in 1.2.1, or was it fixed in the 1.2.0 release (so
ONLY 1.2.0-rc1 was affected)?

> > Hope this clarifies, let me know if you need more info.
>
> > Damien

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRYwTwAAoJEBYNRVNeJnmTB3IP/R29jPp63GvWs/kBjEyHgpDc
QTgMSSNTwLKdn0AWE9tUmh63TWjbBrIqndh3N1Sd2rN7ZFExkOMkgvCndZIzdy+F
w3kiG38W7zZIObHrBsHTnM112pc40wOWNt/Qxy9zn5ExNP8AtIyb/iHfYSvqyTNh
tFPZT23849d/RtoKmZ1E7NDACvEHvSCVj4032AzRNFsBjxH+RXT+dF3gWVj257Sf
MQVLghMBzya4vo/s0vvGdmu2t44+GtNwP1vSh/LWObBx60Yc+DdJvqBS9IcH7na0
K7pociQ6Gk/LTcB1f0G3w5aNGzTBRk3VPt1/m0tlortH03hQ1elt41YxPGTKXyAA
K1yfE++VQQ3pBJVR0fNNr2FguPYpAWlGWAufeUkzBJOUKdQNul4iDWzPUaETiyUQ
QiK8VhWwckR17aI5xVmmA580S11fVGFtwCFwc8lZlk8ayzvq8ZmjKckDv2ZOOSy/
OyvD6yd3ZNxMrTXXKJsDUdtmKe0dG2fp8YFfpn1tVZXhaKAU5a4kTl3aWGgDBZTa
X/1FUNK6YCC0dVgHBF6QgFy6Jg7y4xwxL9upGkueerYf9b/kJzHEbRgQ6s/OTf4j
I2+bDD+5oBMsWly12tNybbGOUItEXDJesO4TYtOqX8aWO3t0gJsa9IZMsqwTaq4t
TQGvpC+vhflNs2EdknVc
=gziP
-----END PGP SIGNATURE-----