GHSA-98xr-mmq5-vc5h

Source

https://github.com/advisories/GHSA-98xr-mmq5-vc5h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98xr-mmq5-vc5h/GHSA-98xr-mmq5-vc5h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-98xr-mmq5-vc5h

Aliases

CVE-2017-12061

Published

2022-05-13T01:05:25Z

Modified

2025-05-30T15:13:33.405497Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

MantisBT XSS allows unsanitized input via admin/install.php

Details

An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $fdatabase, $fdbusername, and $fadmin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

Database specific

{
    "nvd_published_at": "2017-08-01T15:29:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2025-05-30T14:34:46Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.12

Database specific

{
    "last_known_affected_version_range": "<= 1.3.11"
}

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.5.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1