{"id":"CVE-2017-12062","details":"An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.","aliases":["GHSA-w93w-rx52-24qh"],"modified":"2026-04-10T03:56:38.688440Z","published":"2017-08-01T15:29:00.593Z","references":[{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2017/08/01/1"},{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2017/08/01/2"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039030"},{"type":"REPORT","url":"https://mantisbt.org/bugs/view.php?id=23166"},{"type":"FIX","url":"https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mantisbt/mantisbt","events":[{"introduced":"0"},{"last_affected":"9f117fd951fbde716077b1453e0ecba9dbdc588a"},{"introduced":"0"},{"last_affected":"4d317bf6c92a2cf32644286b5f49b6c34988d973"},{"introduced":"0"},{"last_affected":"67edb2ce5d720c28ebac4acf1d9d6f990c4eff99"},{"introduced":"0"},{"last_affected":"d4d0e851fbf2ec38532e045d2acec22b0e544f53"},{"introduced":"0"},{"last_affected":"b77f7b5783e270066cdf10dae36f6241ac1591c3"},{"introduced":"0"},{"last_affected":"1abcbc10ea82aa36c2f2c2f38f43343d013749c4"},{"introduced":"0"},{"last_affected":"5e95a5db5f445ec39868b341a73416a8f9008c35"},{"introduced":"0"},{"last_affected":"a954bbdc7e53b98dcac51fcf8bc6cb41deaa0028"},{"introduced":"0"},{"last_affected":"73a34c4af43358599ff62b01c1b1f23d75a0c76c"},{"introduced":"0"},{"last_affected":"0c6dde3dea2ea43d1d38f72f44834436c6dd4d74"},{"introduced":"0"},{"last_affected":"27b5b292c9814a40fdd5715fa499a82e29f6f866"},{"introduced":"0"},{"last_affected":"afc31a63fd76ae68f8bc8e8516d4431cf10ea9c5"},{"introduced":"0"},{"last_affected":"990c773bab5cdc69d30cfd2be1824cb42e463ba2"},{"introduced":"0"},{"last_affected":"d83c14a9cd3cdd898fd911dd904feacea7340ac6"},{"introduced":"0"},{"last_affected":"609e2522903b1cbec51c054beb2761927ec19d0f"},{"introduced":"0"},{"last_affected":"90d8895978e056caaef178df932dcfb827a3f14d"},{"introduced":"0"},{"last_affected":"b1010be69bd6fc4b2dd091ce3ab93e1ac75d3396"},{"introduced":"0"},{"last_affected":"063cce6182568cf2eba81e3ca59cdd67606e7bab"},{"fixed":"9b5b71dadbeeeec27efea59f562ac5bd6d2673b7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.0"},{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.1.2"},{"introduced":"0"},{"last_affected":"2.1.3"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.2.1"},{"introduced":"0"},{"last_affected":"2.2.2"},{"introduced":"0"},{"last_affected":"2.2.3"},{"introduced":"0"},{"last_affected":"2.2.4"},{"introduced":"0"},{"last_affected":"2.3.0"},{"introduced":"0"},{"last_affected":"2.3.1"},{"introduced":"0"},{"last_affected":"2.3.2"},{"introduced":"0"},{"last_affected":"2.3.3"},{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.4.1"},{"introduced":"0"},{"last_affected":"2.4.2"},{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"2.5.1"}]}}],"versions":["release-1.2.0a1","release-1.2.0a2","release-1.2.0a3","release-1.2.0rc1","release-1.3.0-beta.1","release-1.3.0-beta.2","release-1.3.0-beta.3","release-1.3.0-rc.1","release-1.3.0-rc.2","release-2.0.0","release-2.0.0-beta.1","release-2.0.0-beta.2","release-2.0.0-beta.3","release-2.0.0-rc.1","release-2.0.0-rc.2","release-2.1.0","release-2.1.1","release-2.1.2","release-2.1.3","release-2.2.0","release-2.2.1","release-2.2.2","release-2.2.3","release-2.2.4","release-2.3.0","release-2.3.1","release-2.3.2","release-2.3.3","release-2.4.0","release-2.4.1","release-2.4.2","release-2.5.0","release-2.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12062.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}