CVE-2017-12062 — MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php

Description

An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

How to fix CVE-2017-12062

To remediate CVE-2017-12062, upgrade the affected package to a fixed version below.

—upgrade to 2.5.2 or later

Is CVE-2017-12062 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 2.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-12062
PATCHgithub.com/mantisbt/mantisbt
WEBopenwall.com/lists/oss-security/2017/08/01/1
WEBopenwall.com/lists/oss-security/2017/08/01/2
WEB