CVE-2017-12061
https://notcve.org/view.php?id=CVE-2017-12061
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP. Se detectó una vulnerabilidad de tipo Cross-Site Scripting (XSS) en admin/install.php en MantisBT en versiones anteriores a la 1.3.12 y todas las 2.X anteriores a la 2.5.2. Algunas variables que están bajo el control de usuarios en el script de instalación de MantisBT no están sanitizadas correctamente antes de que se envíen, permitiendo a los atacantes remotos inyectar código JavaScript arbitrario, tal y como lo demuestran las variables $f_database, $f_db_username, y $f_admin_username. • http://openwall.com/lists/oss-security/2017/08/01/1 http://openwall.com/lists/oss-security/2017/08/01/2 http://www.securitytracker.com/id/1039030 https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 https://mantisbt.org/bugs/view.php?id=23146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-12062
https://notcve.org/view.php?id=CVE-2017-12062
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled. Se detectó una vulnerabilidad de tipo Cross-Site Scripting (XSS) en manage_user_page.php en MantisBT en sus versiones 2.X anteriores a la 2.5.2. El campo "filter" no se sanitiza antes de que se renderice en la página Manage User, permitiendo a los atacantes remotos ejecutar código JavaScript arbitrario si se deshabilita la política de seguridad de contenido (CSP). • http://openwall.com/lists/oss-security/2017/08/01/1 http://openwall.com/lists/oss-security/2017/08/01/2 http://www.securitytracker.com/id/1039030 https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7 https://mantisbt.org/bugs/view.php?id=23166 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5059
https://notcve.org/view.php?id=CVE-2015-5059
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php. En caso de que el nivel de permiso para acceder a los archivos ($g_view_proj_doc_threshold) se establezca en ANYBODY, la característica "Project Documentation" en las versiones 1.2.19 y anteriores de MantisBT permite a usuarios remotos autenticados descargar adjuntos enlazados con proyectos privados arbitrarios, utilizando un identificador de archivo en el parámetro file_id al file_download.php. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163191.html http://www.openwall.com/lists/oss-security/2015/06/25/3 http://www.openwall.com/lists/oss-security/2015/06/25/4 http://www.securityfocus.com/bid/75414 https://bugzilla.redhat.com/show_bug.cgi?id=1237199 https://github.com/mantisbt/mantisbt/commit/a4be76d6e5c4939545d84712c79d3f8f4a108c4f https://github.com/mantisbt/mantisbt/commit/f39cf5251953b468e9d921e1cf2aca3abdb00772 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-7620 – Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-7620
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI. MantisBT antes de v1.3.11, 2.x antes de v2.3.3 y 2.4.x antes de v2.4.1 omite una verificación de barra invertida en string_api.php y, en consecuencia, tiene interpretaciones conflictivas de una subcadena inicial \/ como introducción de una ruta de acceso local o un host remoto, que conduce a (1) una inyección arbitraria de HTTP a través de ataques CSRF en un URI permalink_page.php?url= y (2) una redirección abierta a través de un URI login_page.php? • https://www.exploit-db.com/exploits/42043 http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt http://www.securitytracker.com/id/1038538 https://mantisbt.org/bugs/view.php?id=22702 https://mantisbt.org/bugs/view.php?id=22816 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-7897
https://notcve.org/view.php?id=CVE-2017-7897
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs. Una vulnerabilidad XSS en el MantisBT (2.3.x en versiones anteriores a 2.3.2) Timeline incluye página, utilizada en My View (my_view_page.php) y páginas User Information (view_user_page.php), permite a atacantes remotos inyectar código arbitrario (si los ajustes CSP lo permiten) a través de PATH_INFO manipulado en una URL, debido al uso de $_SERVER['PHP_SELF'] no desinfectado para generar URLs. • http://www.mantisbt.org/bugs/view.php?id=22742 http://www.securitytracker.com/id/1038278 https://github.com/mantisbt/mantisbt/commit/a1c719313d61b07bbe8700005807b8195fdc32f1 https://github.com/mantisbt/mantisbt/pull/1094 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •