Skip to content

Fix issue #10 - problem with certain characters in field values #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 10, 2023
Merged

Fix issue #10 - problem with certain characters in field values #11

merged 2 commits into from
Dec 10, 2023

Conversation

unboundeduniverse
Copy link
Contributor

Use one or more of &"<> in the value of a target field.
Report an issue.
The field values are not displayed properly in the select list.
Click on the Submit Issue button.
There is an error saying invalid value for field.
Fixes issue #10

@unboundeduniverse
Copy link
Contributor Author

unboundeduniverse commented Nov 1, 2023

There is a bigger issue in release v2.0.0:

Create 2 fields. Set them to display when reporting issues.
In field 1 put any value.
In field 2 put the following:
Item 1|Item 2\|];alert('Hello');//
Link field 1 to field 2 and set the target field value to Item 1.
Report an issue.
The javascript alert actually runs.

Second commit fixes it properly as well as the original issue. First commit is redundant.

@dregad dregad linked an issue Dec 10, 2023 that may be closed by this pull request
@dregad
Copy link
Member

dregad commented Dec 10, 2023

I have opened a Security Advisory for this XSS issue (GHSA-2f37-9xpx-5hhw), thanks for the analysis and the fix.

@dregad dregad self-assigned this Dec 10, 2023
@dregad dregad merged commit 30e5ae7 into mantisbt-plugins:master Dec 10, 2023
@dregad
Copy link
Member

dregad commented Dec 13, 2023

CVE-2023-49802 has been assigned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2023-49802 : Problem with special characters
2 participants