CVE-2017-15213

Name of the Vulnerable Software and Affected Versions Flyspray versions prior to 1.0-rc6

Description The issue allows an authenticated user to inject JavaScript and gain administrator privileges. This is achieved by exploiting the real name or email address field in the themes/CleanFS/templates/common.editallusers.tpl template.

Recommendations For versions prior to 1.0-rc6, update to version 1.0-rc6 or later to resolve the issue. As a temporary workaround, consider restricting access to the themes/CleanFS/templates/common.editallusers.tpl template to minimize the risk of exploitation. Avoid using the real name or email address fields in the affected template until the issue is resolved.