On Wed, 19 Jul 2006, Moritz Muehlenhoff wrote:

> Let's forward this to the relevant person at MITRE. Steven, could you
> please check, whether this might be a duplicate?

Looks like a partial duplicate.  CVE-2005-3337 lists two items, and the
second one appears to be a dupe of CVE-2005-2557 based on the Mantis bug
number.

Actually, the first item in CVE-2005-3337 appears to be a dupe of
CVE-2005-3091 based on Mantis bug number too :(

Does this make sense?

- Steve


======================================================
Name: CVE-2005-2557
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2557
Acknowledged: yes
Announced: 20050822
Flaw: XSS
Reference: BUGTRAQ:20050926 Mantis Bugtracker - Remote Database Scanner and XSS 
Vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112786017426276&w=2
Reference: CONFIRM:http://www.mantisbt.org/changelog.php
Reference: DEBIAN:DSA-778
Reference: URL:http://www.debian.org/security/2005/dsa-778
Reference: GENTOO:GLSA-200509-16
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200509-16.xml
Reference: BID:14604
Reference: URL:http://www.securityfocus.com/bid/14604
Reference: SECUNIA:16506
Reference: URL:http://secunia.com/advisories/16506/
Reference: XF:mantis-bug-report-xss(21958)
Reference: URL:http://xforce.iss.net/xforce/xfdb/21958

Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis
0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary
web script or HTML via the dir parameter, as identified by
bug#0005959, and a different vulnerability than CVE-2005-3090.


Analysis:
ACKNOWLEDGEMENT: in the mantis changelog it says "0005959: [security]
Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php
Script (thraxisp)"

ABSTRACTION: bug#0005959, bug#0006002, and bug#0005751 were SPLIT per
e-mail discussions with Martin Schulze on August 25, 2005.  Some bugs
were fixed by Debian and some did not have to be, suggesting different
affected versions.



======================================================
Name: CVE-2005-3091
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3091
Acknowledged: yes
Announced: 20050822
Flaw: XSS
Reference: CONFIRM:http://www.mantisbt.org/changelog.php
Reference: DEBIAN:DSA-905
Reference: URL:http://www.debian.org/security/2005/dsa-905
Reference: BID:15227
Reference: URL:http://www.securityfocus.com/bid/15227
Reference: SECUNIA:16506
Reference: URL:http://secunia.com/advisories/16506
Reference: SECUNIA:17654
Reference: URL:http://secunia.com/advisories/17654

Cross-site scripting (XSS) vulnerability in Mantis before 1.0.0rc1
allows remote attackers to inject arbitrary web script or HTML via
unknown attack vectors, as identified by bug#0005751 "thraxisp".


Analysis:

ABSTRACTION: bug#0005959, bug#0006002, and bug#0005751 were SPLIT per
e-mail discussions with Martin Schulze on August 25, 2005.  Some bugs
were fixed by Debian and some did not have to be, suggesting different
affected versions.
ACKNOWLEDGEMENT: in the mantis changelog it says "0005751: [security]
Javascript XSS vulnerability (thraxisp)"


======================================================
Name: CVE-2005-3337
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3337
Acknowledged: yes changelog
Announced: 20051026
Flaw: XSS
Reference: CONFIRM:http://bugs.mantisbt.org/changelog_page.php
Reference: 
CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=362673
Reference: GENTOO:GLSA-200510-24
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200510-24.xml
Reference: OSVDB:20321
Reference: URL:http://www.osvdb.org/20321
Reference: SECUNIA:17362
Reference: URL:http://secunia.com/advisories/17362

Multiple cross-site scripting (XSS) vulnerabilities in Mantis before
0.19.3 allow remote attackers to inject arbitrary web script or HTML
via (1) unknown vectors involving Javascript and (2)
mantis/view_all_set.php.


Analysis:
ACK: the vendor changelog for 0.19.3 includes two items "0006332:
[security] Port #5751 to 0.19.3: Javascript XSS vulnerability
(vboctor)" and "- 0006333: [security] Port #5959 to 0.19.3: Cross Site
Scripting Vulnerabilty in the mantis/view_all_set.php Script
(vboctor)"




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to