Summary
This host is running MantisBT and is prone to multiple cross-site scripting vulnerabilities.
Impact
Successful exploitation will allow attackers to conduct cross-site scripting attacks.
Impact Level: Application.
Solution
Upgrade to MantisBT version 1.2.3 or later
For updates refer to http://www.mantisbt.org/download.php
Insight
Multiple flaws exist in the application which allow remote authenticated attackers to inject arbitrary web script or HTML via:
(1) A plugin name, related to 'manage_plugin_uninstall.php' (2) An 'enumeration' value
(3) A 'String' value of a custom field, related to 'core/cfdefs/cfdef_standard.php' (4) project
(5) category name to 'print_all_bug_page_word.php' or (6) 'Summary field', related to 'core/summary_api.php'
Affected
MantisBT version prior to 1.2.3
References
- http://www.mantisbt.org/bugs/changelog_page.php?version_id=111
- http://www.mantisbt.org/bugs/view.php?id=12231
- http://www.mantisbt.org/bugs/view.php?id=12232
- http://www.mantisbt.org/bugs/view.php?id=12234
- http://www.mantisbt.org/bugs/view.php?id=12238
- http://www.mantisbt.org/bugs/view.php?id=12309
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-3303, CVE-2010-3763 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities