Vulnerability Solutions |
||
| The WatchMouse Periodic Vulnerability Scan checks for the vulnerability below. To see the most recently added vulnerability solutions that are scanned by WatchMouse, go to the Vulnerability Solutions overview | ||
| Category: Gentoo Local Security Checks | Risk factor: High | Added: 4 Dec 2008 |
| The remote host is affected by the vulnerability described in GLSA-200812-07 (Mantis: Multiple vulnerabilities) Multiple issues have been reported in Mantis: EgiX reported that manage_proj_page.php does not correctly sanitize the sort parameter before passing it to create_function() in core/utility_api.php (CVE-2008-4687). Privileges of viewers are not sufficiently checked before composing a link with issue data in the source anchor (CVE-2008-4688). Mantis does not unset the session cookie during logout (CVE-2008-4689). Mantis does not set the secure flag for the session cookie in an HTTPS session (CVE-2008-3102). Impact Remote unauthenticated attackers could exploit these vulnerabilities to execute arbitrary PHP commands, disclose sensitive issue data, or hijack a user's sessions. Workaround There is no known workaround at this time. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689 Solution: All Mantis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.1.4-r1" Risk factor: High |
||
