CVE-2017-7309
Description
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in MantisBT's Configuration Report page allows attackers to inject arbitrary code via a crafted 'config_option' parameter.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the MantisBT Configuration Report page (adm_config_report.php). The page does not properly sanitize the 'config_option' parameter before output, allowing an attacker to inject arbitrary HTML and JavaScript. The vulnerability affects MantisBT versions from 1.3.0-rc.2 through 2.2.1, and is fixed in versions 1.3.9, 2.1.3, and 2.2.3 [1][2].
Exploitation
An attacker must be able to craft a specially constructed HTTP request to the adm_config_report.php script with a malicious 'config_option' parameter. The attack is remote and does not require prior authentication. Successful exploitation depends on the target site's Content Security Policy (CSP) settings; if CSP does not block inline scripts, the injected code will execute in the context of the victim's browser [1][2].
Impact
A successful exploit allows the attacker to inject arbitrary JavaScript into the Configuration Report page. This can lead to session hijacking, data theft, or defacement, depending on the attacker's goals and the victim's privileges. The impact is limited if a strict CSP is in place that prevents script execution [1][2].
Mitigation
The vulnerability is patched in MantisBT versions 1.3.9, 2.1.3, and 2.2.3, which were released on 2017-03-31 [1]. The fix sanitizes the 'config_option' parameter by escaping HTML special characters before output [4]. Users should upgrade to the latest patched version. No workarounds are documented for unpatched instances.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 1.3.9 | 1.3.9 |
mantisbt/mantisbtPackagist | >= 2.1.0, < 2.1.3 | 2.1.3 |
mantisbt/mantisbtPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
26cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc2:*:*:*:*:*:*+ 24 more
- cpe:2.3:a:mantisbt:mantisbt:1.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*
- (no CPE)range: <=1.3.8, <=2.1.2, <=2.2.2
Patches
30243375e32bcFix XSS in adm_config_report.php
1 file changed · +1 −1
adm_config_report.php+1 −1 modified@@ -580,7 +580,7 @@ function check_config_value( $p_config ) { <input type="text" name="config_option" class="input-sm" value="<?php echo string_display_line( $t_edit_option ); ?>" size="64" maxlength="64" /> - <input type="hidden" name="original_config_option" value="<?php echo $t_edit_option; ?>" /> + <input type="hidden" name="original_config_option" value="<?php echo string_display_line( $t_edit_option ); ?>" /> </td> </tr>
e881dd79df42Fix XSS in adm_config_report.php
1 file changed · +1 −1
adm_config_report.php+1 −1 modified@@ -580,7 +580,7 @@ function check_config_value( $p_config ) { <input type="text" name="config_option" class="input-sm" value="<?php echo string_display_line( $t_edit_option ); ?>" size="64" maxlength="64" /> - <input type="hidden" name="original_config_option" value="<?php echo $t_edit_option; ?>" /> + <input type="hidden" name="original_config_option" value="<?php echo string_display_line( $t_edit_option ); ?>" /> </td> </tr>
c9e5b1d04045Fix XSS in adm_config_report.php
1 file changed · +1 −1
adm_config_report.php+1 −1 modified@@ -525,7 +525,7 @@ function check_config_value( $p_config ) { <input type="text" name="config_option" value="<?php echo string_attribute( $t_edit_option ); ?>" size="64" maxlength="64" /> - <input type="hidden" name="original_config_option" value="<?php echo $t_edit_option; ?>" /> + <input type="hidden" name="original_config_option" value="<?php echo string_attribute( $t_edit_option ); ?>" /> </span> <span class="label-style"></span> </div>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.mantisbt.org/bugs/view.phpnvdExploitPatchVendor AdvisoryWEB
- openwall.com/lists/oss-security/2017/03/30/4nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/97251nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-4w6c-3hcx-rfj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7309ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/0243375e32bc24878e309f3d6ef6d8cfb3e2f278ghsaWEB
- github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15aeghsaWEB
- github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358ghsaWEB
- www.securitytracker.com/id/1038169nvd
News mentions
0No linked articles in our index yet.