CVE-2017-7309

Published: Mar 31, 2017Modified: May 13, 2026

4.8

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3.

Affected (24)

Products: Mantisbt: Mantisbt

Mantisbt

1 product

Mantisbt

Configuration A

24 vulnerable

Vulnerable Software	Affected Versions
Mantisbt Mantisbt	Version 1.3.0 rc2
Mantisbt Mantisbt	Version 1.3.1
Mantisbt Mantisbt	Version 1.3.2
Mantisbt Mantisbt	Version 1.3.3
Mantisbt Mantisbt	Version 1.3.4
Mantisbt Mantisbt	Version 1.3.5
Mantisbt Mantisbt	Version 1.3.6
Mantisbt Mantisbt	Version 1.3.7
Mantisbt Mantisbt	Version 1.3.8
Mantisbt Mantisbt	Version 1.3.9
Mantisbt Mantisbt	Version 2.0.0
Mantisbt Mantisbt	Version 2.0.0 beta1
Mantisbt Mantisbt	Version 2.0.0 beta2
Mantisbt Mantisbt	Version 2.0.0 beta3
Mantisbt Mantisbt	Version 2.0.0 rc1
Mantisbt Mantisbt	Version 2.0.0 rc2
Mantisbt Mantisbt	Version 2.0.1
Mantisbt Mantisbt	Version 2.1.0
Mantisbt Mantisbt	Version 2.1.1
Mantisbt Mantisbt	Version 2.1.2
Mantisbt Mantisbt	Version 2.1.3
Mantisbt Mantisbt	Version 2.2.0
Mantisbt Mantisbt	Version 2.2.1
Mantisbt Mantisbt	Version 2.2.2