Mantis Bug Tracker Multiple Vulnerabilities - Bugtraq Advisory

On May 20, 2008, Francesco “ascii” Ongaro published a detailed advisory on Bugtraq (via the marc.info portal) regarding multiple vulnerabilities — XSS, CSRF, and Remote Code Execution — in version 1.1.1 of Mantis Bug Tracker. The bulletin, co-signed with Antonio “s4tan” Parata, raised a case of incorrect attribution of CVE-2008-2276, assigned to an internal Mantis project contact (Glenn Henshaw) despite the discovery being made by the USH team. Ongaro publicly criticized the vendor’s disclosure management, stating that the incident would motivate a change of approach toward direct publication to researchers and users. The advisory was also signed and protected by copyright attributed to Ongaro.