Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9272

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-9272
Last Modified 12 Jan 2015 12:37:50
Published 09 Jan 2015 01:59:03
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-9272

Summary

The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.

Vulnerable Systems

Operating System

  • Debian Linux 7.0

Application

  • Mantisbt 1.1.0

  • Mantisbt 1.1.1

  • Mantisbt 1.1.2

  • Mantisbt 1.1.3

  • Mantisbt 1.1.4

  • Mantisbt 1.1.5

  • Mantisbt 1.1.6

  • Mantisbt 1.1.7

  • Mantisbt 1.1.8

  • Mantisbt 1.1.9

  • Mantisbt 1.2.0

  • Mantisbt 1.2.1

  • Mantisbt 1.2.10

  • Mantisbt 1.2.11

  • Mantisbt 1.2.12

  • Mantisbt 1.2.13

  • Mantisbt 1.2.14

  • Mantisbt 1.2.15

  • Mantisbt 1.2.16

  • Mantisbt 1.2.17

  • Mantisbt 1.2.2

  • Mantisbt 1.2.3

  • Mantisbt 1.2.4

  • Mantisbt 1.2.5

  • Mantisbt 1.2.6

  • Mantisbt 1.2.7

  • Mantisbt 1.2.8

  • Mantisbt 1.2.9


References

CONFIRM - https://www.mantisbt.org/bugs/view.php?id=17297

CONFIRM - https://github.com/mantisbt/mantisbt/commit/05378e00

DEBIAN - DSA-3120

MLIST - [oss-security] 20141204 Re: CVE Request: Multiple XSS vulnerabilities in MantisBT

MLIST - [oss-security] 20141201 CVE Request: Multiple XSS vulnerabilities in MantisBT


Last Updated: 27 May 2016 11:07:29