GHSA-8r2m-qhff-jm2c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8r2m-qhff-jm2c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r2m-qhff-jm2c/GHSA-8r2m-qhff-jm2c.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8r2m-qhff-jm2c
- Aliases
- Published
- 2022-05-17T02:31:57Z
- Modified
- 2025-06-04T23:44:46.016293Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- MantisBT XSS via my_view_page.php and view_user_page.php
- Details
-
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (myviewpage.php) and User Information (viewuserpage.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATHINFO in a URL, due to use of unsanitized $SERVER['PHP_SELF'] to generate URLs.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2017-04-18T17:59:00Z", "github_reviewed_at": "2025-06-04T23:04:14Z", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Packagist / mantisbt/mantisbt
Package
- Name
- mantisbt/mantisbt
- Purl
- pkg:composer/mantisbt/mantisbt