关键漏洞信息 ID: 0024813 Project: mantisbt Category: security Summary: CVE-2018-17782: XSS in manage_filter_page.php Description: Project Name is printed on manage_filter_page.php without being sanitized. CVE ID: CVE-2018-17782 Severity: major Priority: normal Reproducibility: always Status: closed Resolution: fixed Product Version: 2.1.0 Target Version: 2.17.2 Fixed In Version: 2.17.2 Date Submitted: 2018-09-29 04:54 Last Update: 2018-10-27 16:21 Attached Files: 24813-XSS-manage_filter_page.patch (1,359 bytes) 活动记录 2018-09-29 12:11: CVE Request 577429 sent to MITRE 2018-09-29 15:33: CVE-2018-17782 assigned 2018-09-29 18:23: Looks good to me. 2018-09-30 07:03: I'm OK with the patch for both 0024813 and 0024814, I confirm it addresses the vulnerability. 相关更改集 Changeset: MantisBT: master-2.17 72ab020a Date: 2018-09-29 01:19 Details: Fix XSS in manage_filter_page.php File: mod - manage_filter_page.php ``` 分析 1. XSS 漏洞: 代码中存在跨站脚本攻击(XSS)漏洞,因项目名称未被正确清理直接输出到页面。 2. 修复措施: 提供了修复补丁 24813-XSS-manage_filter_page.patch。 3. 版本影响: 影响 MantisBT 2.1.0 版本,修复版本为 2.17.2。 4. 漏洞处理: 已通过 CVE-2018-17782 进行了公开,并确认漏洞已修复。 5. 团队合作: 多名开发人员参与了漏洞确认及修复过程,确保问题得到妥善解决。