CVE-2017-12062

MEDIUM

MantisBT <2.5.2 - XSS

Title source: llm

Description

An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

References (5)

[Mailing List, Third Party Advisory] http://openwall.com/lists/oss-security/2017/08/01/1

[Mailing List, Third Party Advisory] http://openwall.com/lists/oss-security/2017/08/01/2

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039030

[Patch, Third Party Advisory] https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Vendor Advisory] https://mantisbt.org/bugs/view.php?id=23166

Scores

CVSS v3 6.1

EPSS 0.0074

EPSS Percentile 72.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (20)

mantisbt/mantisbt

... and 10 more

Published Aug 01, 2017

Tracked Since Feb 18, 2026