CVE-2014-9271

MEDIUM

MantisBT <1.2.18 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename.

References (7)

[Exploit, Issue Tracking, Vendor Advisory] https://www.mantisbt.org/bugs/view.php?id=17874

[Mailing List, Third Party Advisory] http://seclists.org/oss-sec/2014/q4/867

[Mailing List, Third Party Advisory] http://seclists.org/oss-sec/2014/q4/902

[Mailing List, Third Party Advisory] http://seclists.org/oss-sec/2014/q4/924

[Third Party Advisory] http://secunia.com/advisories/62101

[Third Party Advisory] http://www.debian.org/security/2015/dsa-3120

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/9fb8cf36f

Scores

CVSS v3 5.4

EPSS 0.0083

EPSS Percentile 74.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status draft

Affected Products (40)

debian/debian_linux

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

... and 25 more

Timeline

Published Jan 09, 2015

Tracked Since Feb 18, 2026