QwikSec

Security Database

CVE

CWE

Training

CVE-2017-12061

Published: Aug 1, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://openwall.com/lists/oss-security/2017/08/01/1

x_refsource_CONFIRM

https://mantisbt.org/bugs/view.php?id=23146

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0

x_refsource_CONFIRM

http://openwall.com/lists/oss-security/2017/08/01/2

x_refsource_CONFIRM

https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.