Vulnerability Details : CVE-2017-12062
Potential exploit
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2017-12062
- cpe:2.3:a:mantisbt:mantisbt:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-12062
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-12062
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2017-12062
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-12062
-
http://openwall.com/lists/oss-security/2017/08/01/2
oss-security - Re: Advisory: XSS issues in MantisBT (CVE-2017-12061, CVE-2017-12062)Mailing List;Third Party Advisory
-
https://mantisbt.org/bugs/view.php?id=23166
0023166: CVE-2017-12062: XSS in manage_user_page.php - MantisBTExploit;Issue Tracking;Vendor Advisory
-
http://www.securitytracker.com/id/1039030
MantisBT Input Validation Flaws in '/admin/install.php' and 'manage_user_page.php' Let Remote Users Conduct Cross-Site Scripting Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
http://openwall.com/lists/oss-security/2017/08/01/1
oss-security - Advisory: XSS issues in MantisBT (CVE-2017-12061, CVE-2017-12062)Mailing List;Third Party Advisory
-
https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7
Fix XSS in manage_user_page.php (CVE-2017-12062) · mantisbt/mantisbt@9b5b71d · GitHubPatch;Third Party Advisory
Jump to