Description
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory x_refsource_confirm
http://openwall.com/lists/oss-security/2017/08/01/1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039030
Exploit, Issue Tracking, Vendor Advisory x_refsource_confirm
https://mantisbt.org/bugs/view.php?id=23166
Mailing List, Third Party Advisory x_refsource_confirm
http://openwall.com/lists/oss-security/2017/08/01/2
Patch, Third Party Advisory x_refsource_confirm
https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7
Scores
CVSS v3
6.1
EPSS
0.0074
EPSS Percentile
73.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (19)
mantisbt/mantisbt
2.1.0
mantisbt/mantisbt
2.1.1
mantisbt/mantisbt
2.1.2
mantisbt/mantisbt
2.1.3
mantisbt/mantisbt
2.2.0
mantisbt/mantisbt
2.2.1
mantisbt/mantisbt
2.2.2
mantisbt/mantisbt
2.2.3
mantisbt/mantisbt
2.2.4
mantisbt/mantisbt
2.3.0
... and 9 more
Published
Aug 01, 2017
Tracked Since
Feb 18, 2026