Mantis < 0.18.1 Multiple Unspecified XSS

medium Nessus Plugin ID 14344

Synopsis

The remote web server contains a PHP application that is prone to cross-site scripting attacks.

Description

According to its banner, the remote version of Mantis contains a flaw in the handling of some types of input. Because of this, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected website.

Solution

Upgrade to Mantis 0.18.1 or later.

See Also

http://sourceforge.net/project/shownotes.php?release_id=202559

Plugin Details

Severity: Medium

ID: 14344

File Name: mantis_xss.nasl

Version: 1.25

Type: remote

Published: 8/23/2004

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:mantisbt:mantisbt

Required KB Items: Settings/ParanoidReport, installed_sw/MantisBT

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 12/9/2003

Reference Information

BID: 9184

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990