Skip to main content

Mantisbt CVE-2016-7111

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2017-02-17 cve@mitre.org
4.7
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 17, 2017 - 17:59 cve.org
MEDIUM 4.7

DescriptionCVE.org

MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

AnalysisAI

MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. Affected products include: Mantisbt. Version information: before 1.3.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2017-7615 HIGH POC
8.8 Apr 16

MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value

CVE-2014-7146 HIGH POC
7.5 Nov 18

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a cr

CVE-2014-8598 MEDIUM POC
6.4 Nov 18

The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arb

CVE-2014-2238 MEDIUM POC
6.5 Mar 05

SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 a

CVE-2019-15074 CRITICAL POC
9.6 Aug 21

The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerabilit

CVE-2024-23830 HIGH POC
8.3 Feb 20

MantisBT is an open source issue tracker. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no

CVE-2012-2691 HIGH POC
7.5 Jun 17

The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which al

CVE-2014-9280 HIGH POC
7.5 Dec 08

The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers

CVE-2014-8554 HIGH POC
7.5 Nov 13

SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before

CVE-2014-9089 HIGH POC
7.5 Nov 28

Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to exec

CVE-2014-1608 HIGH POC
7.5 Mar 18

SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows re

CVE-2014-1609 HIGH POC
7.5 Mar 20

Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL command

Share

CVE-2016-7111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy