CVE-2017-7620 — MantisBT vulnerable to CSRF and Open Redirect attacks

Description

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI.

How to fix CVE-2017-7620

To remediate CVE-2017-7620, upgrade the affected package to a fixed version below.

—upgrade to 1.3.11 or later

Is CVE-2017-7620 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-7620
PATCHgithub.com/mantisbt/mantisbt
WEBhyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
WEBgithub.com/mantisbt/mantisbt/commit/2d2309a384bcd9d4b6d7d2928e8ded2c46d2d7b0