Описание
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
Ссылки
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- PatchThird Party Advisory
- PatchThird Party Advisory
- Issue TrackingVendor Advisory
- Mailing ListThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- PatchThird Party Advisory
- PatchThird Party Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 1.3.0 (включая) до 1.3.12 (исключая)Версия от 2.0.0 (включая) до 2.5.2 (исключая)
Одно из
cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*
cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*
EPSS
Процентиль: 77%
0.01034
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 6.1
debian
больше 8 лет назад
An XSS issue was discovered in admin/install.php in MantisBT before 1. ...
CVSS3: 6.1
github
больше 3 лет назад
MantisBT XSS allows unsanitized input via admin/install.php
EPSS
Процентиль: 77%
0.01034
Низкий
6.1 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-79