CVE-2017-12062

An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

Published: Aug 1, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-12062
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mantisbt / mantisbt	2.3.0	2.3.0.x
mantisbt / mantisbt	2.1.0	2.1.0.x
mantisbt / mantisbt	2.1.2	2.1.2.x
mantisbt / mantisbt	2.4.1	2.4.1.x
mantisbt / mantisbt	2.1.3	2.1.3.x
mantisbt / mantisbt	2.5.0	2.5.0.x
mantisbt / mantisbt	2.4.2	2.4.2.x
mantisbt / mantisbt	2.1.1	2.1.1.x
mantisbt / mantisbt	2.2.2	2.2.2.x
mantisbt / mantisbt	2.2.1	2.2.1.x
mantisbt / mantisbt	2.5.1	2.5.1.x
mantisbt / mantisbt	2.4.0	2.4.0.x
mantisbt / mantisbt	2.3.2	2.3.2.x
mantisbt / mantisbt	2.2.4	2.2.4.x
mantisbt / mantisbt	2.3.3	2.3.3.x
mantisbt / mantisbt	2.2.3	2.2.3.x
mantisbt / mantisbt	2.3.1	2.3.1.x
mantisbt / mantisbt	2.2.0	2.2.0.x

Vulnerability Database

289,697

CVE-2017-12062