Executive Summary
Summary | |
---|---|
Title | New mantis packages fix execution of arbitrary web script code |
Informations | |||
---|---|---|---|
Name | DSA-1133 | First vendor Publication | 2006-08-01 |
Vendor | Debian | Last vendor Modification | 2006-08-01 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several remote vulnerabilities have been discovered in the Mantis bug tracking system, which may lead to the execution of arbitrary web script. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-0664 A cross-site scripting vulnerability was discovered in config_defaults_inc.php. CVE-2006-0665 Cross-site scripting vulnerabilities were discovered in query_store.php and manage_proj_create.php. CVE-2006-0841 Multiple cross-site scripting vulnerabilities were discovered in view_all_set.php, manage_user_page.php, view_filters_page.php and proj_doc_delete.php. CVE-2006-1577 Multiple cross-site scripting vulnerabilities were discovered in view_all_set.php. For the stable distribution (sarge) these problems have been fixed in version 0.19.2-5sarge4.1. For the unstable distribution (sid) these problems have been fixed in version 0.19.4-3.1. We recommend that you upgrade your mantis package. |
Original Source
Url : http://www.debian.org/security/2006/dsa-1133 |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 1133-1 (mantis) File : nvt/deb_1133_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
24292 | Mantis view_all_set.php Multiple Parameter XSS Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'start_day', 'start_year', and 'start_month' variables upon submission to the view_all_set.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
23248 | Mantis view_all_set.php Multiple Parameter XSS Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'hide_status', 'handler_id', 'user_monitor', 'reporter_id', 'view_type', 'show_severity', 'show_category', 'show_status', 'show_resolution', 'show_build', 'show_profile', 'show_priority', 'highlight_changed', 'relationship_type', and 'relationship_bug' variables upon submission to the 'view_all_set.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
23082 | Mantis manage_proj_create.php title Parameter XSS |
23081 | Mantis query_store.php Unspecified Input Validation Issue |
23080 | Mantis config_defaults_inc.php Unspecified XSS |
22487 | Mantis manage_user_page.php sort Parameter XSS Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate variables upon submission to the manage_users functionality. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1133.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:26:03 |
|