CVE-2017-6973: MantisBT XSS via adm_config_report.php's action parameter
(updated )
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted ‘action’ parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.
References
- github.com/advisories/GHSA-v7qf-22rw-chph
- github.com/mantisbt/mantisbt
- github.com/mantisbt/mantisbt/commit/034cd07b47af37366fc7b726cb4a4f971d3d3fb9
- github.com/mantisbt/mantisbt/commit/15e52e84c389afe8b03ed3cdb59b6549257ed197
- github.com/mantisbt/mantisbt/commit/da74c5aa02bcf21cfaab1180f892c22415e5fea6
- nvd.nist.gov/vuln/detail/CVE-2017-6973
Code Behaviors & Features
Detect and mitigate CVE-2017-6973 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →