Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-12061

An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

Published

2017-08-01T15:29:00.547

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mantisbt	mantisbt	< 1.3.12	Yes
Application	mantisbt	mantisbt	< 2.5.2	Yes

References

http://openwall.com/lists/oss-security/2017/08/01/1 Mailing List, Third Party Advisory ([email protected])
http://openwall.com/lists/oss-security/2017/08/01/2 Mailing List, Third Party Advisory ([email protected])
http://www.securitytracker.com/id/1039030 Third Party Advisory, VDB Entry ([email protected])
https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 Patch, Third Party Advisory ([email protected])
https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 Patch, Third Party Advisory ([email protected])
https://mantisbt.org/bugs/view.php?id=23146 Issue Tracking, Vendor Advisory ([email protected])
http://openwall.com/lists/oss-security/2017/08/01/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2017/08/01/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039030 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://mantisbt.org/bugs/view.php?id=23146 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)