SCA: security update for mantisbt/mantisbt (GHSA-x53v-v9xp-gf6g)

medium Tenable Cloud Security Plugin ID 437321

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page
(move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through
a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in
1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is
removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A
reminder to do so is also displayed on the login page. (CVE-2017-7241)

See Also

https://github.com/advisories/GHSA-x53v-v9xp-gf6g

Plugin Details

Severity: Medium

ID: 437321

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2017-7241

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/17/2022

Vulnerability Publication Date: 3/31/2017

Reference Information

CVE: CVE-2017-7241

BID: 97253

cwe: CWE-79