CVE-2017-7241

MEDIUM

MantisBT - XSS

Title source: llm

Description

A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page.

References (4)

[Mailing List, Third Party Advisory] http://openwall.com/lists/oss-security/2017/03/30/4

[Exploit, Patch, Vendor Advisory] http://www.mantisbt.org/bugs/view.php?id=22568

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97253

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038169

Scores

CVSS v3 4.8

EPSS 0.0080

EPSS Percentile 73.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (37)

n/a/n/a

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

mantisbt/mantisbt

... and 22 more

Timeline

Published Mar 31, 2017

Tracked Since Feb 18, 2026