| Bug ID | 1051697 |
|---|---|
| Summary | VUL-0: CVE-2017-12061: mantis,mantisbt: XSS in /admin/install.php script |
| Classification | openSUSE |
| Product | openSUSE.org |
| Version | unspecified |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | 3rd party software |
| Assignee | astieger@suse.com |
| Reporter | astieger@suse.com |
| QA Contact | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
CVE-2017-12061: XSS in /admin/install.php script A cross-site scripting (XSS) vulnerability in the MantisBT Installation script allows remote attackers to inject arbitrary code through crafted parameters. This is only possible if the admin/ folder was not deleted after installation, as recommended in the MantisBT Admin Guide [1]. Affected versions: 1.3.11 and older, 2.5.1 and older Fixed in versions: 1.3.12, 2.5.2, 2.6.0 (not yet released*) Patch: - 1.3: https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0 - 2.x: https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5 Credits: - Reported by aLLy from ONSEC (https://twitter.com/IamSecurity) - Fixed by Damien Regad (MantisBT Developer) References: - MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23146 [1] http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon * Releases 1.3.12, 2.5.2 and 2.6.0 are scheduled for release in the coming week.