PHP Self Cross Site Scripting in MantisBT 1.2.x
MantisBT installations 1.2.x up to 1.2.7 are vulnerable to Cross Site Scripting attacks due to lack of sanitation of the variable $_SERVER["PHP_SELF"]
Affected versions: 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2 y possible others.
Solution: Upgrade to 1.2.8
MantisBT is a free popular web-based bugtracking system (feature list). It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver. MantisBT has been installed on Windows, Linux, Mac OS, OS/2, and others. Almost any web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL).
DetailsThe variable $_SERVER["PHP_SELF"] is not sanitized before being used causing multiple Cross Site Scripting vulnerabilities in several files.