http://bugzilla.opensuse.org/show_bug.cgi?id=1051697 Bug ID: 1051697 Summary: VUL-0: CVE-2017-12061: mantis,mantisbt: XSS in /admin/install.php script Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: astieger@suse.com Reporter: astieger@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2017-12061: XSS in /admin/install.php script A cross-site scripting (XSS) vulnerability in the MantisBT Installation script allows remote attackers to inject arbitrary code through crafted parameters. This is only possible if the admin/ folder was not deleted after installation, as recommended in the MantisBT Admin Guide [1]. Affected versions: 1.3.11 and older, 2.5.1 and older Fixed in versions: 1.3.12, 2.5.2, 2.6.0 (not yet released*) Patch: - 1.3: https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458... - 2.x: https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade78... Credits: - Reported by aLLy from ONSEC (https://twitter.com/IamSecurity) - Fixed by Damien Regad (MantisBT Developer) References: - MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23146 [1] http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.instal... * Releases 1.3.12, 2.5.2 and 2.6.0 are scheduled for release in the coming week. -- You are receiving this mail because: You are on the CC list for the bug.