CVE-2017-12062

An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
mantisbtmantisbt
2.1.0
mantisbtmantisbt
2.1.1
mantisbtmantisbt
2.1.2
mantisbtmantisbt
2.1.3
mantisbtmantisbt
2.2.0
mantisbtmantisbt
2.2.1
mantisbtmantisbt
2.2.2
mantisbtmantisbt
2.2.3
mantisbtmantisbt
2.2.4
mantisbtmantisbt
2.3.0
mantisbtmantisbt
2.3.1
mantisbtmantisbt
2.3.2
mantisbtmantisbt
2.3.3
mantisbtmantisbt
2.4.0
mantisbtmantisbt
2.4.1
mantisbtmantisbt
2.4.2
mantisbtmantisbt
2.5.0
mantisbtmantisbt
2.5.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://openwall.com/lists/oss-security/2017/08/01/1
http://openwall.com/lists/oss-security/2017/08/01/2
http://www.securitytracker.com/id/1039030
https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7
https://mantisbt.org/bugs/view.php?id=23166
http://openwall.com/lists/oss-security/2017/08/01/1
http://openwall.com/lists/oss-security/2017/08/01/2
http://www.securitytracker.com/id/1039030
https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7
https://mantisbt.org/bugs/view.php?id=23166