CVE-2023-49802

Опубликовано: 11 дек. 2023

Источник: nvd

CVSS3: 6.7

CVSS3: 6.1

EPSS Низкий

Описание

The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.

Ссылки

https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286
Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10
Issue Tracking
Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11
Issue Tracking
https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw
Vendor Advisory
https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286
Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10
Issue Tracking
Patch
https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11
Issue Tracking
https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mantisbt:linked_custom_fields:*:*:*:*:*:mantisbt:*:*

Версия до 2.0.1 (исключая)

EPSS

Процентиль: 42%

0.00198

Низкий

6.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

EPSS

Процентиль: 42%

0.00198

Низкий

6.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79