svn commit: r475643 - head/security/vuxml
Jochen Neumeister
joneum at FreeBSD.org
Sun Jul 29 10:42:24 UTC 2018
Author: joneum
Date: Sun Jul 29 10:42:23 2018
New Revision: 475643
URL: https://svnweb.freebsd.org/changeset/ports/475643
Log:
document mantis issues
PR: 229880
Submitted by: Nathan <ndowens.fbsd at yandex.com>
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Jul 29 10:40:28 2018 (r475642)
+++ head/security/vuxml/vuln.xml Sun Jul 29 10:42:23 2018 (r475643)
@@ -58,6 +58,42 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="0822a4cf-9318-11e8-8d88-00e04c1ea73d">
+ <topic>mantis -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mantis</name>
+ <range><lt>2.15.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mantis reports:</p>
+ <blockquote cite="https://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f">
+ <p>Teun Beijers reported a cross-site scripting (XSS) vulnerability in
+ the Edit Filter page which allows execution of arbitrary code
+ (if CSP settings permit it) when displaying a filter with a crafted
+ name. Prevent the attack by sanitizing the filter name before display.</p>
+ <p>Ömer Cıtak, Security Researcher at Netsparker, reported this
+ vulnerability, allowing remote attackers to inject arbitrary code
+ (if CSP settings permit it) through a crafted PATH_INFO on
+ view_filters_page.php. Prevent the attack by sanitizing the output
+ of $_SERVER['PHP_SELF'] before display.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f</url>
+ <url>https://github.com/mantisbt/mantisbt/commit/4efac90ed89a5c009108b641e2e95683791a165a</url>
+ <cvename>CVE-2018-14504</cvename>
+ <cvename>CVE-2018-13066</cvename>
+ </references>
+ <dates>
+ <discovery>2018-07-13</discovery>
+ <entry>2018-07-29</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e97a8852-32dd-4291-ba4d-92711daff056">
<topic>py-bleach -- unsanitized character entities</topic>
<affects>
More information about the svn-ports-all
mailing list