{"id":"CVE-2017-6797","details":"A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter.","modified":"2026-04-10T04:01:59.278537Z","published":"2017-03-10T00:59:00.170Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96818"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1037978"},{"type":"REPORT","url":"http://www.mantisbt.org/bugs/view.php?id=22486"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2017/03/10/1"},{"type":"FIX","url":"https://github.com/mantisbt/mantisbt/commit/a2d90ecabf3bcf3aa22ed9dbbecfd3d37902956f"},{"type":"FIX","url":"https://github.com/mantisbt/mantisbt/commit/c272c3f65da9677e505ff692b1f1e476b3afa56e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mantisbt/mantisbt","events":[{"introduced":"0"},{"fixed":"c1d3abba777aa8d208b4119ff52de040ed59f578"},{"introduced":"ac51f2a22377ec1cef40ae53048327d7ab2df33e"},{"fixed":"1abcbc10ea82aa36c2f2c2f38f43343d013749c4"},{"fixed":"a2d90ecabf3bcf3aa22ed9dbbecfd3d37902956f"},{"fixed":"c272c3f65da9677e505ff692b1f1e476b3afa56e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.3.7"},{"introduced":"2.0.0"},{"fixed":"2.2.1"}]}}],"versions":["release-1.2.0a1","release-1.2.0a2","release-1.2.0a3","release-1.2.0rc1","release-1.3.0","release-1.3.0-beta.1","release-1.3.0-beta.2","release-1.3.0-beta.3","release-1.3.0-rc.1","release-1.3.0-rc.2","release-1.3.1","release-1.3.2","release-1.3.3","release-1.3.4","release-1.3.5","release-1.3.6","release-2.0.0","release-2.1.0","release-2.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6797.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}