low
3.5
CWE
79
Advisory Published
CVE Published
Updated

CVE-2010-2802: XSS

First published: Tue Aug 03 2010(Updated: )

A flaw was found in the way that the Mantis BTS handled attachments and MIME types. A user could upload an HTML file renamed to a .gif and Mantis would calculate the actual MIME type of the file as text/html. A user tricked into thinking they were clicking a .gif attachment would instead have the full HTML file rendered in the browser, rather than having it treated as a downloadable file or displayed in plain text. References: <a href="http://www.mantisbt.org/bugs/view.php?id=11952">http://www.mantisbt.org/bugs/view.php?id=11952</a> <a href="http://www.mantisbt.org/blog/?p=113">http://www.mantisbt.org/blog/?p=113</a> This was corrected in upstream version 1.2.2 and affects current Fedora 12, 13, rawhide, and EPEL5.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
MantisBT=1.0.0-rc1
MantisBT=1.0.0a1
MantisBT=1.0.0-rc3
MantisBT=0.19.4
MantisBT=1.0.0a3
MantisBT=1.0.2
MantisBT=0.19.0a1
MantisBT=0.19.0-rc1
MantisBT=0.19.1
MantisBT=0.18.0
MantisBT=0.19.2
MantisBT<=1.2.1
MantisBT=0.19.3
MantisBT=1.1.6
MantisBT=1.2.0
MantisBT=1.1.4
MantisBT=1.0.3
MantisBT=1.1.0
MantisBT=1.0.0-rc2
MantisBT=0.19.0a2
MantisBT=1.1.5
MantisBT=1.0.7
MantisBT=1.1.2
MantisBT=1.0.1
MantisBT=1.0.0-rc5
MantisBT=1.0.0
MantisBT=1.0.4
MantisBT=1.1.7
MantisBT=1.0.5
MantisBT=1.1.8
MantisBT=0.19.0
MantisBT=1.0.0-rc4
MantisBT=1.0.6
MantisBT=0.19.5
MantisBT=1.0.0a2
MantisBT=1.0.8
MantisBT=1.1.1

Remedy

http://www.mantisbt.org/blog/?p=113

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2010-2802?

    CVE-2010-2802 is classified as a medium-severity vulnerability due to its potential for exploitation through file upload tricks.

  • How do I fix CVE-2010-2802?

    To mitigate CVE-2010-2802, upgrade to a patched version of MantisBT that addresses the issue with improperly handled attachments.

  • What is the impact of CVE-2010-2802?

    CVE-2010-2802 allows an attacker to upload malicious HTML files disguised as image files, potentially leading to phishing or other attacks.

  • Which versions of MantisBT are affected by CVE-2010-2802?

    CVE-2010-2802 affects multiple versions including MantisBT versions from 0.18.0 to 1.2.1.

  • Can CVE-2010-2802 lead to remote code execution?

    CVE-2010-2802 does not directly lead to remote code execution, but it can facilitate phishing attacks or other malicious actions.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203