CVE-2017-7897
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs.
Una vulnerabilidad XSS en el MantisBT (2.3.x en versiones anteriores a 2.3.2) Timeline incluye página, utilizada en My View (my_view_page.php) y páginas User Information (view_user_page.php), permite a atacantes remotos inyectar código arbitrario (si los ajustes CSP lo permiten) a través de PATH_INFO manipulado en una URL, debido al uso de $_SERVER['PHP_SELF'] no desinfectado para generar URLs.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-18 CVE Reserved
- 2017-04-18 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-10-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.securitytracker.com/id/1038278 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| http://www.mantisbt.org/bugs/view.php?id=22742 | 2024-08-05 | |
| https://github.com/mantisbt/mantisbt/pull/1094 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/mantisbt/mantisbt/commit/a1c719313d61b07bbe8700005807b8195fdc32f1 | 2017-07-11 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.3.0 Search vendor "Mantisbt" for product "Mantisbt" and version "2.3.0" | - |
Affected
| ||||||
| Mantisbt Search vendor "Mantisbt" | Mantisbt Search vendor "Mantisbt" for product "Mantisbt" | 2.3.1 Search vendor "Mantisbt" for product "Mantisbt" and version "2.3.1" | - |
Affected
| ||||||