CVE-2011-2938

Published: 21 September 2011

Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php in MantisBT before 1.2.7 allow remote attackers to inject arbitrary web script or HTML via a parameter, as demonstrated by the project_id parameter to search.php.

Notes

Author	Note
jdstrand	per Debian, 1.1.8 not affected

Priority

Status

Package	Release	Status
mantis Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Not vulnerable
	maverick	Not vulnerable
	natty	Not vulnerable
	upstream	Released (1.2.6-1, 1.2.7)
	Patches: other: https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

References

http://www.openwall.com/lists/oss-security/2011/08/19/16
https://www.cve.org/CVERecord?id=CVE-2011-2938
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/828857
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638321

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›