CVE-2017-7309: MantisBT vulnerable to XSS through config_option parameter in adm_config_report.php
(updated )
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted ‘config_option’ parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3.
References
- github.com/advisories/GHSA-4w6c-3hcx-rfj5
- github.com/mantisbt/mantisbt
- github.com/mantisbt/mantisbt/commit/0243375e32bc24878e309f3d6ef6d8cfb3e2f278
- github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae
- github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358
- nvd.nist.gov/vuln/detail/CVE-2017-7309
Code Behaviors & Features
Detect and mitigate CVE-2017-7309 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →