CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12061
https://notcve.org/view.php?id=CVE-2017-12061
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP. Se detectó una vulnerabilidad de tipo Cross-Site Scripting (XSS) en admin/install.php en MantisBT en versiones anteriores a la 1.3.12 y todas las 2.X anteriores a la 2.5.2. Algunas variables que están bajo el control de usuarios en el script de instalación de MantisBT no están sanitizadas correctamente antes de que se envíen, permitiendo a los atacantes remotos inyectar código JavaScript arbitrario, tal y como lo demuestran las variables $f_database, $f_db_username, y $f_admin_username. • http://openwall.com/lists/oss-security/2017/08/01/1 http://openwall.com/lists/oss-security/2017/08/01/2 http://www.securitytracker.com/id/1039030 https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 https://mantisbt.org/bugs/view.php?id=23146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 2CVE-2017-7620 – Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-7620
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI. MantisBT antes de v1.3.11, 2.x antes de v2.3.3 y 2.4.x antes de v2.4.1 omite una verificación de barra invertida en string_api.php y, en consecuencia, tiene interpretaciones conflictivas de una subcadena inicial \/ como introducción de una ruta de acceso local o un host remoto, que conduce a (1) una inyección arbitraria de HTTP a través de ataques CSRF en un URI permalink_page.php?url= y (2) una redirección abierta a través de un URI login_page.php? • https://www.exploit-db.com/exploits/42043 http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt http://www.securitytracker.com/id/1038538 https://mantisbt.org/bugs/view.php?id=22702 https://mantisbt.org/bugs/view.php?id=22816 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2017-7897
https://notcve.org/view.php?id=CVE-2017-7897
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs. Una vulnerabilidad XSS en el MantisBT (2.3.x en versiones anteriores a 2.3.2) Timeline incluye página, utilizada en My View (my_view_page.php) y páginas User Information (view_user_page.php), permite a atacantes remotos inyectar código arbitrario (si los ajustes CSP lo permiten) a través de PATH_INFO manipulado en una URL, debido al uso de $_SERVER['PHP_SELF'] no desinfectado para generar URLs. • http://www.mantisbt.org/bugs/view.php?id=22742 http://www.securitytracker.com/id/1038278 https://github.com/mantisbt/mantisbt/commit/a1c719313d61b07bbe8700005807b8195fdc32f1 https://github.com/mantisbt/mantisbt/pull/1094 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •