http://bugzilla.opensuse.org/show_bug.cgi?id=1051698 Bug ID: 1051698 Summary: VUL-0: CVE-2017-12062: mantis,mantisbt: XSS in manage_user_page.php Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: astieger@suse.com Reporter: astieger@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2017-12062: XSS in manage_user_page.php A cross-site scripting (XSS) vulnerability in the MantisBT Manage User page allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'filter' parameter. Affected versions: 2.1.0 through 2.5.1 Fixed in versions: 2.5.2, 2.6.0 (not yet released*) Patch: https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd... Credits: - Reported by Trí Chim Trích (https://twitter.com/trichimtrich) - Fixed by Roland Becker (MantisBT Developer) References: - MantisBT issue tracker http://www.mantisbt.org/bugs/view.php?id=23166 * Releases 1.3.12, 2.5.2 and 2.6.0 are scheduled for release in the coming week. -- You are receiving this mail because: You are on the CC list for the bug.