Skip to content

Commit 9531aa7

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-x53v-v9xp-gf6g GHSA-x53v-v9xp-gf6g
1 parent f165196 commit 9531aa7

File tree

2 files changed

+111
-48
lines changed

2 files changed

+111
-48
lines changed

advisories/github-reviewed/2022/05/GHSA-x53v-v9xp-gf6g/GHSA-x53v-v9xp-gf6g.json

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-x53v-v9xp-gf6g",
4+
"modified": "2025-06-11T18:50:11Z",
5+
"published": "2022-05-17T02:30:07Z",
6+
"aliases": [
7+
"CVE-2017-7241"
8+
],
9+
"summary": "MantisBT XSS via move_attachments_page.php",
10+
"details": "A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the \"Post-installation and upgrade tasks\" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "mantisbt/mantisbt"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.3.9"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "mantisbt/mantisbt"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "2.0.0"
48+
},
49+
{
50+
"fixed": "2.1.3"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "mantisbt/mantisbt"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "2.2.0"
67+
},
68+
{
69+
"fixed": "2.2.3"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7241"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://github.com/mantisbt/mantisbt/commit/2d55c6476e939db021128b3995c28dcae05b09a4"
84+
},
85+
{
86+
"type": "WEB",
87+
"url": "https://github.com/mantisbt/mantisbt/commit/d31841c806a3c8379fcf6c9d9559451270b0f1cb"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://github.com/mantisbt/mantisbt/commit/ecef0e9b523a460709e8feedfce72f05bb30b992"
92+
},
93+
{
94+
"type": "PACKAGE",
95+
"url": "https://github.com/mantisbt/mantisbt"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "http://www.mantisbt.org/bugs/view.php?id=22568"
100+
}
101+
],
102+
"database_specific": {
103+
"cwe_ids": [
104+
"CWE-79"
105+
],
106+
"severity": "MODERATE",
107+
"github_reviewed": true,
108+
"github_reviewed_at": "2025-06-11T18:50:10Z",
109+
"nvd_published_at": "2017-03-31T04:59:00Z"
110+
}
111+
}

advisories/unreviewed/2022/05/GHSA-x53v-v9xp-gf6g/GHSA-x53v-v9xp-gf6g.json

Lines changed: 0 additions & 48 deletions
This file was deleted.

0 commit comments

Comments
 (0)