CVE-2006-0841
CVE-2006-0841
Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) hide_status, (2) handler_id, (3) user_monitor, (4) reporter_id, (5) view_type, (6) show_severity, (7) show_category, (8) show_status, (9) show_resolution, (10) show_build, (11) show_profile, (12) show_priority, (13) highlight_changed, (14) relationship_type, and (15) relationship_bug parameters in (a) view_all_set.php; the (16) sort parameter in (b) manage_user_page.php; the (17) view_type parameter in (c) view_filters_page.php; and the (18) title parameter in (d) proj_doc_delete.php. NOTE: item 17 might be subsumed by CVE-2005-4522.
Affected products
n/a · n/apublic PoCs found — 2
exploitdbwww.exploit-db.com/exploits/27229unverifiedexploitdbwww.exploit-db.com/exploits/27228unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://morph3us.org/advisories/20060214-mantis-100rc4.txthttp://secunia.com/advisories/21400http://sourceforge.net/project/showfiles.php?group_id=14963&package_id=12175&release_id=386059http://sourceforge.net/project/shownotes.php?release_id=386059&group_id=14963http://www.debian.org/security/2006/dsa-1133http://www.osvdb.org/22487http://www.osvdb.org/23248http://www.securityfocus.com/archive/1/425046/100/0/threadedhttp://www.securityfocus.com/bid/16657