CVE-2017-12061

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-12061
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12061.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-12061
Published
2017-08-01T15:29:00Z
Modified
2025-01-15T01:22:16.053311Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $fdatabase, $fdbusername, and $fadmin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

References

Affected packages

Git / github.com/mantisbt/mantisbt

Affected ranges

Type
GIT
Repo
https://github.com/mantisbt/mantisbt
Events

Affected versions

release-1.*

release-1.2.0a1
release-1.2.0a2
release-1.2.0a3
release-1.2.0rc1
release-1.3.0
release-1.3.0-beta.1
release-1.3.0-beta.2
release-1.3.0-beta.3
release-1.3.0-rc.1
release-1.3.0-rc.2
release-1.3.1
release-1.3.10
release-1.3.11
release-1.3.2
release-1.3.3
release-1.3.4
release-1.3.5
release-1.3.6
release-1.3.7
release-1.3.8
release-1.3.9

release-2.*

release-2.0.0
release-2.0.0-beta.1
release-2.0.0-beta.2
release-2.0.0-beta.3
release-2.0.0-rc.1
release-2.0.0-rc.2
release-2.1.0
release-2.1.1
release-2.2.0
release-2.2.1
release-2.2.2
release-2.3.0
release-2.3.1
release-2.3.2
release-2.4.0
release-2.4.1
release-2.5.0
release-2.5.1