Medium severity4.7NVD Advisory· Published Feb 17, 2017· Updated May 13, 2026

CVE-2016-7111

Description

MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy with Gravatar plugin, enabling XSS attacks.

Vulnerability

MantisBT versions before 1.3.1 and 2.x before 2.0.0-beta.2 include a bundled Gravatar plugin that, when enabled, replaces the default Content Security Policy (CSP) with a weak policy: img-src 'self' http://www.gravatar.com/ instead of the default default-src 'self'; frame-ancestors 'none'; style-src 'self'; script-src 'self'. This weak policy allows execution of remote and inline scripts, potentially enabling cross-site scripting (XSS) attacks [1][3].

Exploitation

An attacker can exploit this by crafting a malicious payload that, when processed by the Gravatar plugin, executes arbitrary JavaScript in the context of the MantisBT application. The attack requires no special privileges beyond the ability to inject content that triggers the Gravatar functionality (e.g., via user profile fields). The weak CSP does not restrict script sources, so the attacker can load external scripts or use inline scripts [3].

Impact

Successful exploitation allows an attacker to perform cross-site scripting (XSS) attacks, leading to disclosure of sensitive information, session hijacking, or arbitrary actions on behalf of the victim user. The impact is limited to the scope of the MantisBT application and the user's privileges [1][3].

Mitigation

The vulnerability is fixed in MantisBT versions 1.3.1 and 2.0.0-beta.2. The fix introduces a proper CSP mechanism that allows adding Gravatar as an allowed image source without weakening the overall policy [4]. Users should upgrade to these or later versions. No workaround is documented; disabling the Gravatar plugin may reduce risk but is not a complete mitigation [1][3].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mantisbt/mantisbtPackagist	< 1.3.1	1.3.1
mantisbt/mantisbtPackagist	>= 2.0.0-beta.1, < 2.0.0-beta.2	2.0.0-beta.2

Affected products

Mantisbt/Mantisbtllm-fuzzy
Range: <1.3.1, <2.0.0-beta.2
ghsa-coords
pkg:composer/mantisbt/mantisbt
Range: < 1.3.1

Patches

b3511d2feb47

Fix weakened CSP by Gravatar plugin

https://github.com/mantisbt/mantisbtDamien RegadAug 27, 2016via ghsa

commit

5 files changed · +91 −23

core/events_inc.php+1 −0 modified

@@ -33,6 +33,7 @@
 
 	# Events specific to the core system
 	'EVENT_CORE_READY' => EVENT_TYPE_EXECUTE,
+	'EVENT_CORE_HEADERS' => EVENT_TYPE_EXECUTE,
 
 	# MantisBT Layout Events
 	'EVENT_LAYOUT_RESOURCES' => EVENT_TYPE_OUTPUT,

core/http_api.php+73 −15 modified

@@ -29,6 +29,12 @@
 
 require_api( 'config_api.php' );
 
+/**
+ * The Content-Security-Policy settings array.  Use http_csp_add() to update it.
+ * @var array
+ */
+$g_csp = array();
+
 /**
  * Checks to see if script was queried through the HTTPS protocol
  * @return boolean True if protocol is HTTPS
@@ -138,6 +144,64 @@ function http_content_headers() {
 	}
 }
 
+/**
+ * Add a Content-Security-Policy directive.
+ *
+ * @param  string $p_type  The directive type, e.g. style-src, script-src.
+ * @param  string $p_value The directive value, e.g. 'self', https://ajax.googleapis.com
+ * @return void
+ */
+function http_csp_add( $p_type, $p_value ) {
+	global $g_csp;
+
+	if ( $g_csp === null ) {
+		# Development error, headers already emitted.
+		trigger_error( ERROR_GENERIC, ERROR );
+	}
+
+	if ( isset( $g_csp[$p_type] ) ) {
+		if ( !in_array( $p_value, $g_csp[$p_type] ) ) {
+			$g_csp[$p_type][] = $p_value;
+		}
+	} else {
+		$g_csp[$p_type] = array( $p_value );
+	}
+}
+
+/**
+ * Constructs the value of the CSP header.
+ * @return string CSP header value.
+ */
+function http_csp_value() {
+	global $g_csp;
+
+	if ( $g_csp === null ) {
+		# Development error, headers already emitted.
+		trigger_error( ERROR_GENERIC, ERROR );
+	}
+
+	$t_csp_value = '';
+
+	foreach ( $g_csp as $t_key => $t_values ) {
+		$t_csp_value .= $t_key . ' ' . implode( ' ', $t_values ) . '; ';
+	}
+
+	$t_csp_value = trim( $t_csp_value, '; ' );
+
+	return $t_csp_value;
+}
+
+/**
+ * Send header for Content-Security-Policy.
+ * @return void
+ */
+function http_csp_emit_header() {
+	header( 'Content-Security-Policy: ' . http_csp_value() );
+
+	global $g_csp;
+	$g_csp = null;
+}
+
 /**
  * Set security headers (frame busting, clickjacking/XSS/CSRF protection).
  * @return void
@@ -147,32 +211,26 @@ function http_security_headers() {
 		header( 'X-Frame-Options: DENY' );
 
 		# Define Content Security Policy
-		$t_csp = array(
-			"default-src 'self'",
-			"frame-ancestors 'none'",
-		);
-
-		$t_style_src = "style-src 'self'";
-		$t_script_src = "script-src 'self'";
+		http_csp_add( 'default-src', "'self'" );
+		http_csp_add( 'frame-ancestors', "'none'" );
+		http_csp_add( 'style-src', "'self'" );
+		http_csp_add( 'script-src', "'self'" );
+		http_csp_add( 'img-src', "'self'" );
 
 		# White list the CDN urls (if enabled)
 		if ( config_get_global( 'cdn_enabled' ) == ON ) {
 			$t_cdn_url = 'https://ajax.googleapis.com';
-			$t_style_src .= " $t_cdn_url";
-			$t_script_src .= " $t_cdn_url";
+			http_csp_add( 'style-src', $t_cdn_url );
+			http_csp_add( 'script-src', $t_cdn_url );
 		}
 
 		# Relaxing policy for roadmap page to allow inline styles
 		# This is a workaround to fix the broken progress bars (see #19501)
 		if( 'roadmap_page.php' == basename( $_SERVER['SCRIPT_NAME'] ) ) {
-			$t_style_src .= " 'unsafe-inline'";
+			http_csp_add( 'style-src', "'unsafe-inline'" );
 		}
 
-		$t_csp[] = $t_style_src;
-		$t_csp[] = $t_script_src;
-
-		# Set CSP header
-		header( 'Content-Security-Policy: ' . implode('; ', $t_csp) );
+		http_csp_emit_header();
 
 		if( http_is_protocol_https() ) {
 			header( 'Strict-Transport-Security: max-age=7776000' );

core.php+1 −0 modified

@@ -274,6 +274,7 @@ function __autoload( $p_class ) {
 
 # Set HTTP response headers
 require_api( 'http_api.php' );
+event_signal( 'EVENT_CORE_HEADERS' );
 http_all_headers();
 
 # Push default language to speed calls to lang_get

docbook/Developers_Guide/en-US/Events_Reference.xml+13 −0 modified

@@ -83,6 +83,19 @@
 			</blockquote>
 		</blockquote>
 
+		<blockquote id="dev.eventref.system.coreheaders">
+			<title>EVENT_CORE_HEADERS (Execute)</title>
+
+			<blockquote>
+				<para>
+					This event is triggered by the MantisBT bootstrap process just before emitting the
+					headers.  This enables plugins to emit their own headers or use API that enables
+					tweaking values of headers emitted by core.  An example, of headers that can be
+					tweaked is Content-Security-Policy header which can be tweaked using http_csp_*() APIs.
+				</para>
+			</blockquote>
+		</blockquote>
+
 		<blockquote id="dev.eventref.system.coreready">
 			<title>EVENT_CORE_READY (Execute)</title>

plugins/Gravatar/Gravatar.php+3 −8 modified

@@ -106,21 +106,16 @@ function config() {
 	function hooks() {
 		return array(
 			'EVENT_USER_AVATAR' => 'user_get_avatar',
-			'EVENT_LAYOUT_RESOURCES' => 'csp_headers',
+			'EVENT_CORE_HEADERS' => 'csp_headers',
 		);
 	}
 
 	/**
-	 * Add Content-Security-Policy for retrieving Avatar images.
-	 *
-	 * @return void
+	 * Register gravatar url as an img-src for CSP header
 	 */
 	function csp_headers() {
-		# Policy for images: Allow gravatar URL
 		if( config_get( 'show_avatar' ) !== OFF ) {
-			# Set CSP header
-			header( "Content-Security-Policy: img-src 'self' " .
-				self::getAvatarUrl() );
+			http_csp_add( 'img-src', self::getAvatarUrl() );
 		}
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2016/08/29/2nvdMailing ListPatchThird Party AdvisoryWEB
github.com/mantisbt/mantisbt/commit/b3511d2fnvdPatch
mantisbt.org/bugs/view.phpnvdPatchVendor AdvisoryWEB
www.openwall.com/lists/oss-security/2016/08/28/1nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-8vx9-hcvq-gfv8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-7111ghsaADVISORY
github.com/mantisbt/mantisbt/commit/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000