A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (admconfigreport.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc2:*:*:*:*:*:*"
],
"vendor_product": "mantisbt:mantisbt",
"extracted_events": [
{
"introduced": "1.3.0-rc2"
},
{
"last_affected": "1.3.0-rc2"
},
{
"introduced": "2.0.0-beta1"
},
{
"last_affected": "2.0.0-beta1"
},
{
"introduced": "2.0.0-beta2"
},
{
"last_affected": "2.0.0-beta2"
},
{
"introduced": "2.0.0-beta3"
},
{
"last_affected": "2.0.0-beta3"
},
{
"introduced": "2.0.0-rc1"
},
{
"last_affected": "2.0.0-rc1"
},
{
"introduced": "2.0.0-rc2"
},
{
"last_affected": "2.0.0-rc2"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:mantisbt:mantisbt:1.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:1.3.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "1.3.1"
},
{
"last_affected": "1.3.1"
},
{
"introduced": "1.3.2"
},
{
"last_affected": "1.3.2"
},
{
"introduced": "1.3.3"
},
{
"last_affected": "1.3.3"
},
{
"introduced": "1.3.4"
},
{
"last_affected": "1.3.4"
},
{
"introduced": "1.3.5"
},
{
"last_affected": "1.3.5"
},
{
"introduced": "1.3.6"
},
{
"last_affected": "1.3.6"
},
{
"introduced": "1.3.7"
},
{
"last_affected": "1.3.7"
},
{
"introduced": "1.3.8"
},
{
"last_affected": "1.3.8"
},
{
"introduced": "1.3.9"
},
{
"last_affected": "1.3.9"
},
{
"introduced": "2.0.0"
},
{
"last_affected": "2.0.0"
},
{
"introduced": "2.0.1"
},
{
"last_affected": "2.0.1"
},
{
"introduced": "2.1.0"
},
{
"last_affected": "2.1.0"
},
{
"introduced": "2.1.1"
},
{
"last_affected": "2.1.1"
},
{
"introduced": "2.1.2"
},
{
"last_affected": "2.1.2"
},
{
"introduced": "2.1.3"
},
{
"last_affected": "2.1.3"
},
{
"introduced": "2.2.0"
},
{
"last_affected": "2.2.0"
},
{
"introduced": "2.2.1"
},
{
"last_affected": "2.2.1"
}
],
"source": "CPE_STRING"
}