Detections
Analytics
Mantis 1.2.x < 1.2.3 Cross-Site Scripting Vulnerability
medium Nessus Network Monitor Plugin ID 5676
Synopsis
The remote web server is hosting a web application that is vulnerable to multiple cross-site scripting attacks.Description
The remote web server is hosting Mantis, an open source bugtracking application written in PHP.Versions of Mantis 1.2.x prior to 1.2.3 are potentially affected by multiple cross-site scripting vulnerabilities :
- A cross-site scripting issue exists when viewing the Summary page. (Bug 0012309)
- A cross-site scripting issue exists in print_all_bug_page_word.php when printing project and category names. (Bug 0012238)
- Multiple cross-site scripting issues exist which relate to custom field enumeration values. (Bug 0012232)
- A cross-site scripting vulnerability exists when deleting maliciously named categories. (Bug 012230)
- A cross-site scripting issue exists in NuSOAP WSDL. (Bug 0012312)
Solution
Upgrade to Mantis 1.2.3 or later.See Also
http://www.mantisbt.org/blog/?p=117
http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.3
Plugin Details
Severity: Medium
ID: 5676
Family: CGI
Published: 9/30/2010
Updated: 3/6/2019
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Temporal Score: 4.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS v3
Risk Factor: Medium
Base Score: 4.8
Temporal Score: 4.5
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:mantisbt:mantisbt
Patch Publication Date: 9/14/2010
Vulnerability Publication Date: 9/14/2010
Reference Information
CVE: CVE-2010-2574, CVE-2010-3070, CVE-2010-3303
BID: 43604