|Package(s):||mantis||CVE #(s):||CVE-2013-0197 CVE-2013-1883|
|Created:||April 1, 2013||Updated:||April 3, 2013|
|Description:||From the Red Hat bugzilla [1, 2]:
A denial of service flaw was found in the way MantisBT, a free popular web-based issue tracking system, performed processing of certain type of View Issues page search queries. A remote attacker could provide a specially-crafted query (filter combining some criteria and a text search with 'any condition') that, when processed by the MantisBT system, would lead to excessive system resources consumption (denial of service), possibly leading to complete MantisBT server instance unavailability. (CVE-2013-1883)
A persistent cross-site scripting (XSS) flaw was found in the way Mantis, a web-based issue tracking system, performed sanitization of the 'match_type' parameter. A remote attacker could provide a specially-crafted URL that, when processed by Mantis instance, would lead to arbitrary web script or HTML execution. (CVE-2013-0197)
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds