CVSS: 4.8EPSS: 5%CPEs: 24EXPL: 1CVE-2017-7309
https://notcve.org/view.php?id=CVE-2017-7309
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Una vulnerabilidad XSS en la página informe de configuración de MantisBT (adm_config_report.php) permite a atacantes remotos inyectar código arbitrario (si la configuración de CSP lo permite) mediante un parámetro 'config_option' manipulado. Esto se fija en 1.3.9, 2.1.3 y 2.2.3. • http://openwall.com/lists/oss-security/2017/03/30/4 http://www.mantisbt.org/bugs/view.php?id=22579 http://www.securityfocus.com/bid/97251 http://www.securitytracker.com/id/1038169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 35EXPL: 1CVE-2017-7241
https://notcve.org/view.php?id=CVE-2017-7241
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page. Una vulnerabilidad XSS en la página MantisBT Move Attachments (move_attachments_page.php, parte de las herramientas de administración) permite a atacantes remotos inyectar código arbitrario mediante un parámetro 'type' manipulado si la configuración de CSP lo permite. • http://openwall.com/lists/oss-security/2017/03/30/4 http://www.mantisbt.org/bugs/view.php?id=22568 http://www.securityfocus.com/bid/97253 http://www.securitytracker.com/id/1038169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •