CVE-2017-7241
Severity Score
4.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page.
Una vulnerabilidad XSS en la página MantisBT Move Attachments (move_attachments_page.php, parte de las herramientas de administración) permite a atacantes remotos inyectar código arbitrario mediante un parámetro 'type' manipulado si la configuración de CSP lo permite. Esto se fija en 1.3.9, 2.1.3 y 2.2.3. Tenga en cuenta que esta vulnerabilidad no es explotable si se elimina el directorio de herramientas de administración, como se recomienda en las "Tareas posteriores a la instalación y actualización" de la guía de administración de MantisBT. También se muestra un recordatorio para hacerlo en la página de inicio de sesión.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-03-23 CVE Reserved
- 2017-03-31 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://openwall.com/lists/oss-security/2017/03/30/4 | Mailing List | |
| http://www.securityfocus.com/bid/97253 | Third Party Advisory | |
| http://www.securitytracker.com/id/1038169 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| http://www.mantisbt.org/bugs/view.php?id=22568 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.2.16 Search vendor "Mantisbt" for product "Mantisbt" and version "1.2.16" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.2.17 Search vendor "Mantisbt" for product "Mantisbt" and version "1.2.17" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.2.18 Search vendor "Mantisbt" for product "Mantisbt" and version "1.2.18" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.2.19 Search vendor "Mantisbt" for product "Mantisbt" and version "1.2.19" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.2.20 Search vendor "Mantisbt" for product "Mantisbt" and version "1.2.20" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.0" | beta1 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.0" | beta2 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.0" | beta3 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.0" | rc1 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.0" | rc2 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.1 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.1" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.2 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.2" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.3 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.3" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.4 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.4" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.5 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.5" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.6 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.6" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.7 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.7" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.8 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.8" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 1.3.9 Search vendor "Mantisbt" for product "Mantisbt" and version "1.3.9" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.0" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.0" | beta1 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.0" | beta2 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.0" | beta3 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.0" | rc1 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.0" | rc2 |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.0.1 Search vendor "Mantisbt" for product "Mantisbt" and version "2.0.1" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.1.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.1.0" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.1.1 Search vendor "Mantisbt" for product "Mantisbt" and version "2.1.1" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.1.2 Search vendor "Mantisbt" for product "Mantisbt" and version "2.1.2" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.1.3 Search vendor "Mantisbt" for product "Mantisbt" and version "2.1.3" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.2.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.2.0" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.2.1 Search vendor "Mantisbt" for product "Mantisbt" and version "2.2.1" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.2.2 Search vendor "Mantisbt" for product "Mantisbt" and version "2.2.2" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.2.3 Search vendor "Mantisbt" for product "Mantisbt" and version "2.2.3" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.3.0" | - |
Affected
| ||||||