| VID |
21354 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Mantis on the remote Web server, according to its version number, has Multiple Cross-Site Scripting Vulnerabilities.
Mantis is a freely available PHP-based bug tracking system that uses a MySQL backend database. Mantis versions prior to 0.18.0 are vulnerable to multiple Cross-Site Scripting Vulnerabilities in the handling of some types of input by Mantis. A remote attacker could create a specially crafted URL link containing malicious script, and then could persuade a target user to click it. Once the URL is clicked, the embedded codes would be executed in the victim's Web browser. A remote attacker could use these vulnerabilities to steal the victim's cookie-based authentication credentials.
* Note: This check solely relied on the version of Mantis on the remote Web server to assess this vulnerability, so this might be a false positive.
* Platforms Affected:
Mantis prior to 0.18.0
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Mantis (0.18.0 or later), available from the Mantis web site at http://www.mantisbt.org/index.php |
| Related URL |
(CVE) |
| Related URL |
9184 (SecurityFocus) |
| Related URL |
13932 (ISS) |
|
