GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Sep 21, 2008 6:26 pm Post subject: [ GLSA 200809-10 ] Mantis: Multiple vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: Mantis: Multiple vulnerabilities (GLSA 200809-10)
Severity: high
Exploitable: remote
Date: September 21, 2008
Updated: November 26, 2008
Bug(s): #222649, #233336
ID: 200809-10
Synopsis
Multiple vulnerabilities have been reported in Mantis.
Background
Mantis is a PHP/MySQL/Web based bugtracking system.
Affected Packages
Package: www-apps/mantisbt
Vulnerable: < 1.1.2
Unaffected: >= 1.1.2
Architectures: All supported architectures
Description
Antonio Parata and Francesco Ongaro reported a Cross-Site Request Forgery vulnerability in manage_user_create.php (CVE-2008-2276), a Cross-Site Scripting vulnerability in return_dynamic_filters.php (CVE-2008-3331), and an insufficient input validation in adm_config_set.php (CVE-2008-3332). A directory traversal vulnerability in core/lang_api.php (CVE-2008-3333) has also been reported.
Impact
A remote attacker could exploit these vulnerabilities to execute arbitrary HTML and script code, create arbitrary users with administrative privileges, execute arbitrary PHP commands, and include arbitrary files.
Workaround
There is no known workaround at this time.
Resolution
All Mantis users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.1.2" |
References
CVE-2008-2276
CVE-2008-3331
CVE-2008-3332
CVE-2008-3333
Last edited by GLSA on Thu Nov 27, 2008 4:19 am; edited 1 time in total |
|
News & Announcements
