CVE-2017-7222
Last modified
CVE-2017-7222 is a vulnerability of currently unknown severity. A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires privileged access to MantisBT configuration management pages (i.e., administrator access rights) or altering the system configuration file (config_inc.php).. EPSS estimates a 0.81% chance of exploitation in the next 30 days.
Description
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration. This requires privileged access to MantisBT configuration management pages (i.e., administrator access rights) or altering the system configuration file (config_inc.php).
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mantisbt | Mantisbt | <= 2.1.0 |
References
- http://github.com/mantisbt/mantisbt/commit/a85b0b96c8ebe3e010d0d016cf88ab3c8bfc196aPatch, Third Party Advisory
- https://mantisbt.org/bugs/view.php?id=22266Patch, Vendor Advisory
- http://github.com/mantisbt/mantisbt/commit/a85b0b96c8ebe3e010d0d016cf88ab3c8bfc196aPatch, Third Party Advisory
- https://mantisbt.org/bugs/view.php?id=22266Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-7222?
How severe is CVE-2017-7222?
How do I fix CVE-2017-7222?
Are you affected by CVE-2017-7222?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST