CVE-2017-12062: MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php

May 17, 2022 (updated June 9, 2025)

An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The ‘filter’ field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

References

github.com/advisories/GHSA-w93w-rx52-24qh
github.com/mantisbt/mantisbt
github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7
mantisbt.org/bugs/view.php?id=23166
nvd.nist.gov/vuln/detail/CVE-2017-12062

Code Behaviors & Features

Detect and mitigate CVE-2017-12062 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →