CVE-2017-12061

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-12061

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12061.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-12061

Aliases

GHSA-98xr-mmq5-vc5h

Published

2017-08-01T15:29:00Z

Modified

2025-07-01T23:27:55.506929Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $fdatabase, $fdbusername, and $fadmin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

References

Affected packages

Git / github.com/mantisbt/mantisbt

Affected ranges

Type: GIT
Repo: https://github.com/mantisbt/mantisbt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

17f9b94f031ba93ae2a727bca0e68458ecd08fb0

Fixed

c73ae3d3d4dd4681489a9e697e8ade785e27cba5

Affected versions

release-1.*

release-1.2.0a1

release-1.2.0a2

release-1.2.0a3

release-1.2.0rc1

release-1.3.0

release-1.3.0-beta.1

release-1.3.0-beta.2

release-1.3.0-beta.3

release-1.3.0-rc.1

release-1.3.0-rc.2

release-1.3.1

release-1.3.10

release-1.3.11

release-1.3.2

release-1.3.3

release-1.3.4

release-1.3.5

release-1.3.6

release-1.3.7

release-1.3.8

release-1.3.9

release-2.*

release-2.0.0

release-2.0.0-beta.1

release-2.0.0-beta.2

release-2.0.0-beta.3

release-2.0.0-rc.1

release-2.0.0-rc.2

release-2.1.0

release-2.1.1

release-2.2.0

release-2.2.1

release-2.2.2

release-2.3.0

release-2.3.1

release-2.3.2

release-2.4.0

release-2.4.1

release-2.5.0

release-2.5.1