CVE-2017-7897

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-7897
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-7897.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-7897
Published
2017-04-18T17:59:00Z
Modified
2025-01-08T10:14:07.631015Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (myviewpage.php) and User Information (viewuserpage.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATHINFO in a URL, due to use of unsanitized $SERVER['PHP_SELF'] to generate URLs.

References

Affected packages

Git / github.com/mantisbt/mantisbt

Affected ranges

Type
GIT
Repo
https://github.com/mantisbt/mantisbt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

release-1.*

release-1.2.0a1
release-1.2.0a2
release-1.2.0a3
release-1.2.0rc1
release-1.3.0
release-1.3.0-beta.1
release-1.3.0-beta.2
release-1.3.0-beta.3
release-1.3.0-rc.1
release-1.3.0-rc.2
release-1.3.1
release-1.3.2
release-1.3.3
release-1.3.4
release-1.3.5
release-1.3.6

release-2.*

release-2.0.0
release-2.0.0-beta.1
release-2.0.0-beta.2
release-2.0.0-beta.3
release-2.0.0-rc.1
release-2.0.0-rc.2
release-2.1.0
release-2.1.1
release-2.2.0
release-2.2.1
release-2.2.2
release-2.3.0
release-2.3.1