MantisBT 1.2.13 <= 1.2.19 XSS

Medium Nessus Network Monitor Plugin ID 8678


The remote web server is hosting an outdated web application that is vulnerable to multiple cross-site scripting attacks.


The remote web server is hosting MantisBT, an open source bug tracking application written in PHP.

Versions of MantisBT 1.2.13 through 1.2.19 are affected by two cross-site scripting vulnerabilities in the 'adm_config_report.php' script due to lack of user input sanitization. Specifically, this issue affects the 'filter_config_id' parameter of the 'adm_config_report.php' script. Additionally, user-supplied input when saving form variable filters are not checked for validity when passed to the script. This could allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between the browser and server.


Upgrade to MantisBT 1.2.20 or later.

See Also

Plugin Details

Severity: Medium

ID: 8678

Family: CGI

Published: 2015/04/08

Modified: 2018/09/16

Dependencies: 8680

Risk Information

Risk Factor: Medium


Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Base Score: 5.3

Temporal Score: 4.9


Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mantisbt:mantisbt

Patch Publication Date: 2015/02/09

Vulnerability Publication Date: 2015/02/09

Reference Information

CVE: CVE-2015-2046

BID: 72548