CVE-2006-0841

Name of the Vulnerable Software and Affected Versions Mantis versions 1.00rc4 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different PHP files, including hide status, handler id, user monitor, reporter id, view type, show severity, show category, show status, show resolution, show build, show profile, show priority, highlight changed, relationship type, and relationship bug in view all set.php, the sort parameter in manage user page.php, the view type parameter in view filters page.php, and the title parameter in proj doc delete.php.

Recommendations For Mantis versions 1.00rc4 and earlier, consider disabling the parameters hide status, handler id, user monitor, reporter id, view type, show severity, show category, show status, show resolution, show build, show profile, show priority, highlight changed, relationship type, and relationship bug in view all set.php, the sort parameter in manage user page.php, the view type parameter in view filters page.php, and the title parameter in proj doc delete.php until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.