Medium severity6.1NVD Advisory· Published Aug 1, 2017· Updated May 13, 2026

CVE-2017-12062

Description

An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mantisbt/mantisbtPackagist	>= 2.0.0, < 2.5.2	2.5.2

Affected products

Mantisbt/Mantisbt18 versions
cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.5.1:*:*:*:*:*:*:*

Patches

9b5b71dadbee

Fix XSS in manage_user_page.php (CVE-2017-12062)

https://github.com/mantisbt/mantisbtRoland BeckerJul 27, 2017via ghsa

commit

1 file changed · +1 −1

manage_user_page.php+1 −1 modified

@@ -272,7 +272,7 @@
 			<input type="hidden" name="sort" value="<?php echo $c_sort ?>" />
 			<input type="hidden" name="dir" value="<?php echo $c_dir ?>" />
 			<input type="hidden" name="save" value="1" />
-			<input type="hidden" name="filter" value="<?php echo $f_filter ?>" />
+			<input type="hidden" name="filter" value="<?php echo string_attribute( $f_filter ); ?>" />
 			<label class="inline">
 			<input type="checkbox" class="ace" name="hideinactive" value="<?php echo ON ?>" <?php check_checked( (int)$c_hide_inactive, ON ); ?> />
 			<span class="lbl"> <?php echo lang_get( 'hide_inactive' ) ?></span>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7nvdPatchThird Party AdvisoryWEB
mantisbt.org/bugs/view.phpnvdExploitIssue TrackingVendor AdvisoryWEB
openwall.com/lists/oss-security/2017/08/01/1nvdMailing ListThird Party AdvisoryWEB
openwall.com/lists/oss-security/2017/08/01/2nvdMailing ListThird Party AdvisoryWEB
www.securitytracker.com/id/1039030nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-w93w-rx52-24qhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-12062ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000