CVE-2017-7897

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2017-7897

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-7897.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2017-7897

Aliases

GHSA-8r2m-qhff-jm2c

Published

2017-04-18T17:59:00.163Z

Modified

2026-05-17T11:54:09.942270345Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (myviewpage.php) and User Information (viewuserpage.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $SERVER['PHPSELF'] to generate URLs.

References

http://www.securitytracker.com/id/1038278
http://www.mantisbt.org/bugs/view.php?id=22742
https://github.com/mantisbt/mantisbt/commit/a1c719313d61b07bbe8700005807b8195fdc32f1
https://github.com/mantisbt/mantisbt/pull/1094

CVE-2017-7897

Affected packages