On Wed, 19 Jul 2006, Moritz Muehlenhoff wrote: > Let's forward this to the relevant person at MITRE. Steven, could you > please check, whether this might be a duplicate?
Looks like a partial duplicate. CVE-2005-3337 lists two items, and the second one appears to be a dupe of CVE-2005-2557 based on the Mantis bug number. Actually, the first item in CVE-2005-3337 appears to be a dupe of CVE-2005-3091 based on Mantis bug number too :( Does this make sense? - Steve ====================================================== Name: CVE-2005-2557 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2557 Acknowledged: yes Announced: 20050822 Flaw: XSS Reference: BUGTRAQ:20050926 Mantis Bugtracker - Remote Database Scanner and XSS Vulnerabilities Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112786017426276&w=2 Reference: CONFIRM:http://www.mantisbt.org/changelog.php Reference: DEBIAN:DSA-778 Reference: URL:http://www.debian.org/security/2005/dsa-778 Reference: GENTOO:GLSA-200509-16 Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200509-16.xml Reference: BID:14604 Reference: URL:http://www.securityfocus.com/bid/14604 Reference: SECUNIA:16506 Reference: URL:http://secunia.com/advisories/16506/ Reference: XF:mantis-bug-report-xss(21958) Reference: URL:http://xforce.iss.net/xforce/xfdb/21958 Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis 0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary web script or HTML via the dir parameter, as identified by bug#0005959, and a different vulnerability than CVE-2005-3090. Analysis: ACKNOWLEDGEMENT: in the mantis changelog it says "0005959: [security] Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php Script (thraxisp)" ABSTRACTION: bug#0005959, bug#0006002, and bug#0005751 were SPLIT per e-mail discussions with Martin Schulze on August 25, 2005. Some bugs were fixed by Debian and some did not have to be, suggesting different affected versions. ====================================================== Name: CVE-2005-3091 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3091 Acknowledged: yes Announced: 20050822 Flaw: XSS Reference: CONFIRM:http://www.mantisbt.org/changelog.php Reference: DEBIAN:DSA-905 Reference: URL:http://www.debian.org/security/2005/dsa-905 Reference: BID:15227 Reference: URL:http://www.securityfocus.com/bid/15227 Reference: SECUNIA:16506 Reference: URL:http://secunia.com/advisories/16506 Reference: SECUNIA:17654 Reference: URL:http://secunia.com/advisories/17654 Cross-site scripting (XSS) vulnerability in Mantis before 1.0.0rc1 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, as identified by bug#0005751 "thraxisp". Analysis: ABSTRACTION: bug#0005959, bug#0006002, and bug#0005751 were SPLIT per e-mail discussions with Martin Schulze on August 25, 2005. Some bugs were fixed by Debian and some did not have to be, suggesting different affected versions. ACKNOWLEDGEMENT: in the mantis changelog it says "0005751: [security] Javascript XSS vulnerability (thraxisp)" ====================================================== Name: CVE-2005-3337 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3337 Acknowledged: yes changelog Announced: 20051026 Flaw: XSS Reference: CONFIRM:http://bugs.mantisbt.org/changelog_page.php Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=362673 Reference: GENTOO:GLSA-200510-24 Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200510-24.xml Reference: OSVDB:20321 Reference: URL:http://www.osvdb.org/20321 Reference: SECUNIA:17362 Reference: URL:http://secunia.com/advisories/17362 Multiple cross-site scripting (XSS) vulnerabilities in Mantis before 0.19.3 allow remote attackers to inject arbitrary web script or HTML via (1) unknown vectors involving Javascript and (2) mantis/view_all_set.php. Analysis: ACK: the vendor changelog for 0.19.3 includes two items "0006332: [security] Port #5751 to 0.19.3: Javascript XSS vulnerability (vboctor)" and "- 0006333: [security] Port #5959 to 0.19.3: Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php Script (vboctor)" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]