Three cross-site scripting issues were reported in MantisBT: CVE-2017-6973: A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2. CVE-2017-7241: A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page. CVE-2017-7309: A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Upstream bugs: http://www.mantisbt.org/bugs/view.php?id=22537 http://www.mantisbt.org/bugs/view.php?id=22568 http://www.mantisbt.org/bugs/view.php?id=22579 References: http://openwall.com/lists/oss-security/2017/03/30/4
Created mantis tracking bugs for this issue: Affects: epel-5 [bug 1437824] Affects: fedora-all [bug 1437823]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.