GHSA-3qv7-98vm-xx2v

Suggest an improvement
Source
https://github.com/advisories/GHSA-3qv7-98vm-xx2v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3qv7-98vm-xx2v/GHSA-3qv7-98vm-xx2v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3qv7-98vm-xx2v
Aliases
Published
2022-05-24T16:48:31Z
Modified
2025-05-29T16:14:30.754250Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
MantisBT cross-site scripting (XSS) vulnerability through crafted PATH_INFO
Details

A cross-site scripting (XSS) vulnerability in the View Filters page (viewfilterspage.php) and Edit Filter page (managefiltereditpage.php) in MantisBT 2.1.0 through 2.17.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATHINFO. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-13055.

Database specific 
{
    "nvd_published_at": "2019-06-20T14:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T15:23:15Z"
}
References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name
mantisbt/mantisbt
Purl
pkg:composer/mantisbt/mantisbt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.17.1

Affected versions

2.*
2.3.0
2.3.1
2.3.2
2.3.3
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.13.0
2.13.1
2.13.2
2.14.0
2.15.0
2.15.1
2.16.0
2.16.1
2.17.0

Database specific

last_known_affected_version_range 
"<= 2.17.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3qv7-98vm-xx2v/GHSA-3qv7-98vm-xx2v.json"