VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Mar 31, 2017· Updated May 13, 2026

CVE-2017-6973

CVE-2017-6973

Description

A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in MantisBT Configuration Report page allows arbitrary code injection via crafted 'action' parameter; fixed in versions 1.3.8, 2.1.2, and 2.2.2.

Vulnerability

The vulnerability is a reflected cross-site scripting (XSS) in the MantisBT Configuration Report page (adm_config_report.php). The action parameter is not sanitized, allowing an attacker to inject arbitrary HTML or JavaScript. This affects versions from 1.3.0-rc.2 through 2.2.1. The issue was introduced in 1.3.0-rc.2 and fixed in versions 1.3.8, 2.1.2, and 2.2.2 [1][2][3].

Exploitation

An attacker can craft a malicious URL with a specially crafted action parameter and trick a victim (typically an administrator) into visiting it. No authentication is required for the attacker, but the victim must be logged into MantisBT. The unsanitized parameter is reflected in the page output, leading to script execution in the victim's browser [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement of the application, or theft of sensitive data. The attacker gains the same privileges as the victim, which could include administrative access [1][3].

Mitigation

Upgrade to MantisBT 1.3.8, 2.1.2, or 2.2.2, which were released on 2017-03-22 [1][3]. If upgrading is not immediately possible, apply the provided patches from the official repository: commit 034cd07b47af37366fc7b726cb4a4f971d3d3fb9 for the 1.3.x branch or da74c5aa02bcf21cfaab1180f892c22415e5fea6 for the 2.x branch [2][3]. No workaround is available other than upgrading or patching.

References
  1. NVD - CVE-2017-6973
  2. 0022537: CVE-2017-6973: XSS in adm_config_report.php
  3. security - Advisory: XSS issues in MantisBT (CVE-2017-6973, CVE-2017-7241, CVE-2017-7309)

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 1.3.81.3.8
mantisbt/mantisbtPackagist
>= 2.0.0, < 2.1.22.1.2
mantisbt/mantisbtPackagist
>= 2.2.0, < 2.2.22.2.2

Affected products

25
  • Mantisbt/Mantisbt24 versions
    cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc2:*:*:*:*:*:*+ 23 more
    • cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:1.3.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*
    • (no CPE)range: <1.3.8, <2.1.2, <2.2.2
  • ghsa-coords
    pkg:composer/mantisbt/mantisbt
    Range: < 1.3.8

Patches

3
15e52e84c389

Fix XSS in adm_config_report.php's action parameter

https://github.com/mantisbt/mantisbtDamien RegadMar 17, 2017via ghsa
commit
3 files changed · +20 6
  • adm_config_report.php+15 5 modified
    @@ -218,7 +218,17 @@ function check_config_value( $p_config ) {
 $t_edit_option          = gpc_get_string( 'config_option', $t_filter_config_value == META_FILTER_NONE ? '' : $t_filter_config_value );
 $t_edit_type            = gpc_get_string( 'type', CONFIG_TYPE_DEFAULT );
 $t_edit_value           = gpc_get_string( 'value', '' );
-$t_edit_action          = gpc_get_string( 'action', 'action_create' );
+
+$f_edit_action          = gpc_get_string( 'action', MANAGE_CONFIG_ACTION_CREATE );
+# Ensure we exclusively use one of the defined, valid actions (XSS protection)
+$t_valid_actions = array(
+	MANAGE_CONFIG_ACTION_CREATE,
+	MANAGE_CONFIG_ACTION_CLONE,
+	MANAGE_CONFIG_ACTION_EDIT
+);
+$t_edit_action = in_array( $f_edit_action, $t_valid_actions )
+	? $f_edit_action
+	: MANAGE_CONFIG_ACTION_CREATE;
 
 # Apply filters
 
@@ -443,7 +453,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_edit',
+					'action'        => MANAGE_CONFIG_ACTION_EDIT,
 				),
 				OFF );
 			echo '</div>';
@@ -459,7 +469,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_clone',
+					'action'        => MANAGE_CONFIG_ACTION_CLONE,
 				),
 				OFF );
 			echo '</div>';
@@ -514,7 +524,7 @@ function check_config_value( $p_config ) {
 		<div class="widget-header widget-header-small">
 		<h4 class="widget-title lighter">
 			<i class="ace-icon fa fa-sliders"></i>
-			<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>
+			<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>
 			</h4>
 		</div>
 
@@ -605,7 +615,7 @@ function check_config_value( $p_config ) {
 		<div class="widget-toolbox padding-4 clearfix">
 			<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
 			<input type="submit" name="config_set" class="btn btn-primary btn-white btn-round"
-				value="<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>"/>
+				value="<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>"/>
 		</div>
 	</div>
 	</div>
  • adm_config_set.php+1 1 modified
    @@ -134,7 +134,7 @@
 	}
 }
 
-if( 'action_edit' === $f_edit_action ){
+if( MANAGE_CONFIG_ACTION_EDIT === $f_edit_action ){
 	# EDIT action doesn't keep original if key values are different.
 	if ( $f_original_config_option !== $f_config_option
 			|| $f_original_user_id !== $f_user_id
  • core/constant_inc.php+4 0 modified
    @@ -646,3 +646,7 @@
 # types, 2^31 is a safe limit to be used for all.
 define( 'DB_MAX_INT', 2147483647 );
 
+# Configuration management actions (adm_config_report.php)
+define( 'MANAGE_CONFIG_ACTION_CREATE', 'create' );
+define( 'MANAGE_CONFIG_ACTION_CLONE', 'clone' );
+define( 'MANAGE_CONFIG_ACTION_EDIT', 'edit' );
da74c5aa02bc

Fix XSS in adm_config_report.php's action parameter

https://github.com/mantisbt/mantisbtDamien RegadMar 17, 2017via ghsa
commit
3 files changed · +20 6
  • adm_config_report.php+15 5 modified
    @@ -218,7 +218,17 @@ function check_config_value( $p_config ) {
 $t_edit_option          = gpc_get_string( 'config_option', $t_filter_config_value == META_FILTER_NONE ? '' : $t_filter_config_value );
 $t_edit_type            = gpc_get_string( 'type', CONFIG_TYPE_DEFAULT );
 $t_edit_value           = gpc_get_string( 'value', '' );
-$t_edit_action          = gpc_get_string( 'action', 'action_create' );
+
+$f_edit_action          = gpc_get_string( 'action', MANAGE_CONFIG_ACTION_CREATE );
+# Ensure we exclusively use one of the defined, valid actions (XSS protection)
+$t_valid_actions = array(
+	MANAGE_CONFIG_ACTION_CREATE,
+	MANAGE_CONFIG_ACTION_CLONE,
+	MANAGE_CONFIG_ACTION_EDIT
+);
+$t_edit_action = in_array( $f_edit_action, $t_valid_actions )
+	? $f_edit_action
+	: MANAGE_CONFIG_ACTION_CREATE;
 
 # Apply filters
 
@@ -443,7 +453,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_edit',
+					'action'        => MANAGE_CONFIG_ACTION_EDIT,
 				),
 				OFF );
 			echo '</div>';
@@ -459,7 +469,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_clone',
+					'action'        => MANAGE_CONFIG_ACTION_CLONE,
 				),
 				OFF );
 			echo '</div>';
@@ -514,7 +524,7 @@ function check_config_value( $p_config ) {
 		<div class="widget-header widget-header-small">
 		<h4 class="widget-title lighter">
 			<i class="ace-icon fa fa-sliders"></i>
-			<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>
+			<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>
 			</h4>
 		</div>
 
@@ -605,7 +615,7 @@ function check_config_value( $p_config ) {
 		<div class="widget-toolbox padding-4 clearfix">
 			<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
 			<input type="submit" name="config_set" class="btn btn-primary btn-white btn-round"
-				value="<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>"/>
+				value="<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>"/>
 		</div>
 	</div>
 	</div>
  • adm_config_set.php+1 1 modified
    @@ -134,7 +134,7 @@
 	}
 }
 
-if( 'action_edit' === $f_edit_action ){
+if( MANAGE_CONFIG_ACTION_EDIT === $f_edit_action ){
 	# EDIT action doesn't keep original if key values are different.
 	if ( $f_original_config_option !== $f_config_option
 			|| $f_original_user_id !== $f_user_id
  • core/constant_inc.php+4 0 modified
    @@ -655,3 +655,7 @@
 # types, 2^31 is a safe limit to be used for all.
 define( 'DB_MAX_INT', 2147483647 );
 
+# Configuration management actions (adm_config_report.php)
+define( 'MANAGE_CONFIG_ACTION_CREATE', 'create' );
+define( 'MANAGE_CONFIG_ACTION_CLONE', 'clone' );
+define( 'MANAGE_CONFIG_ACTION_EDIT', 'edit' );
034cd07b47af

Fix XSS in adm_config_report.php's action parameter

https://github.com/mantisbt/mantisbtDamien RegadMar 17, 2017via ghsa
commit
3 files changed · +22 7
  • adm_config_report.php+15 5 modified
    @@ -217,7 +217,17 @@ function check_config_value( $p_config ) {
 $t_edit_option          = gpc_get_string( 'config_option', $t_filter_config_value == META_FILTER_NONE ? '' : $t_filter_config_value );
 $t_edit_type            = gpc_get_string( 'type', CONFIG_TYPE_DEFAULT );
 $t_edit_value           = gpc_get_string( 'value', '' );
-$t_edit_action          = gpc_get_string( 'action', 'action_create' );
+
+$f_edit_action          = gpc_get_string( 'action', MANAGE_CONFIG_ACTION_CREATE );
+# Ensure we exclusively use one of the defined, valid actions (XSS protection)
+$t_valid_actions = array(
+	MANAGE_CONFIG_ACTION_CREATE,
+	MANAGE_CONFIG_ACTION_CLONE,
+	MANAGE_CONFIG_ACTION_EDIT
+);
+$t_edit_action = in_array( $f_edit_action, $t_valid_actions )
+	? $f_edit_action
+	: MANAGE_CONFIG_ACTION_CREATE;
 
 # Apply filters
 
@@ -413,7 +423,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_edit',
+					'action'        => MANAGE_CONFIG_ACTION_EDIT,
 				),
 				OFF );
 
@@ -427,7 +437,7 @@ function check_config_value( $p_config ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_clone',
+					'action'        => MANAGE_CONFIG_ACTION_CLONE,
 				),
 				OFF );
 
@@ -473,7 +483,7 @@ function check_config_value( $p_config ) {
 
 		<!-- Title -->
 		<legend><span>
-			<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>
+			<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>
 		</span></legend>
 
 		<!-- Username -->
@@ -545,7 +555,7 @@ function check_config_value( $p_config ) {
 			<!-- Submit button -->
 			<span class="submit-button">
 				<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
-				<input type="submit" name="config_set" class="button" value="<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>" />
+				<input type="submit" name="config_set" class="button" value="<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>" />
 			</span>
 		</fieldset>
 	</form>
  • adm_config_set.php+1 1 modified
    @@ -134,7 +134,7 @@
 	}
 }
 
-if( 'action_edit' === $f_edit_action ){
+if( MANAGE_CONFIG_ACTION_EDIT === $f_edit_action ){
 	# EDIT action doesn't keep original if key values are different.
 	if ( $f_original_config_option !== $f_config_option
 			|| $f_original_user_id !== $f_user_id
  • core/constant_inc.php+6 1 modified
    @@ -621,4 +621,9 @@
 # Note: mantis ids are defined in schema as "I UNSIGNED", which Adodb maps to
 # the closest integer (4 bytes) type available. As some DBs dont support unsigned
 # types, 2^31 is a safe limit to be used for all.
-define( 'DB_MAX_INT', 2147483647 );
\ No newline at end of file
+define( 'DB_MAX_INT', 2147483647 );
+
+# Configuration management actions (adm_config_report.php)
+define( 'MANAGE_CONFIG_ACTION_CREATE', 'create' );
+define( 'MANAGE_CONFIG_ACTION_CLONE', 'clone' );
+define( 'MANAGE_CONFIG_ACTION_EDIT', 'edit' );

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.