Cross-site scripting (XSS) vulnerability in view.php in Mantis before 1.1.0 allows remote attackers to inject arbitrary web script or HTML via a filename, related to bug_report.php.

The remote host is affected by the vulnerability described in GLSA-200803-04 (Mantis: XSS)

    seiji reported that the filename for the uploaded file in     bug_report.php is not properly sanitised before being stored.
  Impact :

    A remote attacker could upload a file with a specially crafted to a bug     report, resulting in the execution of arbitrary HTML and script code     within the context of the users's browser. Note that this vulnerability     is only exploitable by authenticated users.
  Workaround :

    There is no known workaround at this time.

Several remote vulnerabilities have been discovered in Mantis, a web-based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-6574     Custom fields were not appropriately protected by     per-item access control, allowing for sensitive data to     be published.

  - CVE-2007-6611     Multiple cross site scripting issues allowed a remote     attacker to insert malicious HTML or web script into     Mantis web pages.

Please note this is a major mantis release, and a upgrade to the DB schema is needed.

Please refer to the package documentation to complete the upgrade.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host appears to be running a vulnerable version of Mantis, a bug tracker web application written in PHP. It is reported that versions lower than 1.1.0 are vulnerable to a persistent HTML injection attack.  The root of the flaw is in the way that Mantis handles user-supplied data to the 'view.php' script.  An attacker exploiting this flaw would only need the ability to send HTTP requests to the 'view.php' script.  Successful exploitation would result in arbitrary code being executed within the browser of other Mantis users. 

ID	Name	Product	Family	Severity
31379	GLSA-200803-04 : Mantis: XSS	Nessus	Gentoo Local Security Checks	medium
30023	Debian DSA-1467-1 : mantis - several vulnerabilities	Nessus	Debian Local Security Checks	medium
29865	Fedora 8 : mantis-1.1.0-1.fc8 (2008-0353)	Nessus	Fedora Local Security Checks	medium
29862	Fedora 7 : mantis-1.1.0-1.fc7 (2008-0282)	Nessus	Fedora Local Security Checks	medium
4326	Mantis < 0.9.5 / 1.1.0 RC5 view.php HTML Injection	Nessus Network Monitor	CGI	high

Detections

Analytics

CVE-2007-6611

medium

Tenable Plugins

medium

medium

medium

medium

high