CVE-2017-7241
Description
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in MantisBT Move Attachments page allows remote attackers to inject arbitrary code via a crafted 'type' parameter, fixed in versions 1.3.9, 2.1.3, and 2.2.3.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the MantisBT Move Attachments page (move_attachments_page.php), which is part of the admin tools directory. The vulnerability allows remote attackers to inject arbitrary code through a crafted type parameter, provided that Content Security Protection (CSP) settings permit it [1]. Affected versions include MantisBT prior to 1.3.9, 2.1.3, and 2.2.3 [2]. The vulnerability was introduced in version 1.2.16 [4].
Exploitation
An attacker must craft a malicious type parameter in the URL to the Move Attachments page and convince an authenticated administrator to visit the page [2]. The attacker does not need to be authenticated, but the administrator must have access to the admin tools. Since the admin directory is normally protected, exploitation requires that the admin tools are accessible and that CSP does not block the injected script.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This can lead to session hijacking, data theft, or further compromise of the MantisBT instance. The vulnerability has a CVSS v3 score of 4.8 (Medium) [1].
Mitigation
The vulnerability is fixed in MantisBT versions 1.3.9, 2.1.3, and 2.2.3 [2]. Users should upgrade to these versions or later. As a workaround, removing the admin tools directory entirely prevents exploitation, as recommended in the MantisBT Admin Guide [1][3]. The login page also displays a reminder to remove the admin directory [1]. No other workarounds are available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 1.3.9 | 1.3.9 |
mantisbt/mantisbtPackagist | >= 2.0.0, < 2.1.3 | 2.1.3 |
mantisbt/mantisbtPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
37cpe:2.3:a:mantisbt:mantisbt:1.2.16:*:*:*:*:*:*:*+ 35 more
- cpe:2.3:a:mantisbt:mantisbt:1.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.18:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.19:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.2.20:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.3.0:*:*:*:*:*:*:*
- (no CPE)range: <1.3.9, <2.1.3, <2.2.3
Patches
32d55c6476e93Fix XSS in move_attachments_page.php
1 file changed · +1 −1
admin/move_attachments_page.php+1 −1 modified@@ -188,7 +188,7 @@ function get_attachment_stats( $p_file_type, $p_in_db ) { </table> <div class="widget-toolbox padding-8 clearfix"> - <input name="type" type="hidden" value="<?php echo $f_file_type ?>" /> + <input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" /> <input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" /> </div> </div>
d31841c806a3Fix XSS in move_attachments_page.php
1 file changed · +1 −1
admin/move_attachments_page.php+1 −1 modified@@ -175,7 +175,7 @@ function get_attachment_stats( $p_file_type, $p_in_db ) { </table> <span class="center"> <br /> - <input name="type" type="hidden" value="<?php echo $f_file_type ?>" /> + <input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" /> <input type="submit" class="button" value="Move Attachments" /> </span>
ecef0e9b523aFix XSS in move_attachments_page.php
1 file changed · +1 −1
admin/move_attachments_page.php+1 −1 modified@@ -188,7 +188,7 @@ function get_attachment_stats( $p_file_type, $p_in_db ) { </table> <div class="widget-toolbox padding-8 clearfix"> - <input name="type" type="hidden" value="<?php echo $f_file_type ?>" /> + <input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" /> <input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" /> </div> </div>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.mantisbt.org/bugs/view.phpnvdExploitPatchVendor AdvisoryWEB
- openwall.com/lists/oss-security/2017/03/30/4nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/97253nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-x53v-v9xp-gf6gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7241ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/2d55c6476e939db021128b3995c28dcae05b09a4ghsaWEB
- github.com/mantisbt/mantisbt/commit/d31841c806a3c8379fcf6c9d9559451270b0f1cbghsaWEB
- github.com/mantisbt/mantisbt/commit/ecef0e9b523a460709e8feedfce72f05bb30b992ghsaWEB
- www.securitytracker.com/id/1038169nvd
News mentions
0No linked articles in our index yet.