CVE-2014-8986

Name	CVE-2014-8986
Description	Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-3120-1

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
mantis	source	squeeze	(unfixed)	end-of-life
mantis	source	wheezy	1.2.18-1		DSA-3120-1
mantis	source	(unstable)	(unfixed)

Notes

[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40
https://github.com/mantisbt/mantisbt/commit/e326b73a (1.2.x)