{"id":"CVE-2016-7111","details":"MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.","aliases":["GHSA-8vx9-hcvq-gfv8"],"modified":"2026-03-15T22:10:52.889048Z","published":"2017-02-17T17:59:01.170Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/08/28/1"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/08/29/2"},{"type":"FIX","url":"https://github.com/mantisbt/mantisbt/commit/b3511d2f"},{"type":"FIX","url":"https://mantisbt.org/bugs/view.php?id=21263"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mantisbt/mantisbt","events":[{"introduced":"0"},{"last_affected":"6e1766bddc32d780aa3e08815ad7c010b32ca88a"},{"fixed":"b3511d2f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3.0"}]}}],"versions":["release-1.2.0a1","release-1.2.0a2","release-1.2.0a3","release-1.2.0rc1","release-1.3.0","release-1.3.0-beta.1","release-1.3.0-beta.2","release-1.3.0-beta.3","release-1.3.0-rc.1","release-1.3.0-rc.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.0.0-beta1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7111.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}