Bug 1031807 (CVE-2017-6973) - VUL-0: CVE-2017-6973,CVE-2017-7309,CVE-2017-7241: mantis,mantisbt: XSS issues
Summary: VUL-0: CVE-2017-6973,CVE-2017-7309,CVE-2017-7241: mantis,mantisbt: XSS issues
Status: RESOLVED FIXED
Alias: CVE-2017-6973
Product: openSUSE.org
Classification: openSUSE
Component: 3rd party software (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-31 07:21 UTC by Andreas Stieger
Modified: 2017-04-17 08:16 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-03-31 07:21:50 UTC 
courtesy bug:

server:php:applications/mantis
server:php:applications/mantisbt

http://seclists.org/oss-sec/2017/q1/695

1. CVE-2017-6973: XSS in adm_config_report.php

A cross-site scripting (XSS) vulnerability in the MantisBT
Configuration Report page (adm_config_report.php) allows remote
attackers to inject arbitrary code through a crafted 'action'
parameter.

Affected versions: 1.3.0-rc.2 through 2.2.1
Fixed in versions: 1.3.8, 2.1.2, 2.2.2 (released 2017-03-22), 2.3.0 (not
yet released*)

Patch:
- 1.3:
http://github.com/mantisbt/mantisbt/commit/034cd07b47af37366fc7b726cb4a4f971d3d3fb9
- 2.x:
http://github.com/mantisbt/mantisbt/commit/da74c5aa02bcf21cfaab1180f892c22415e5fea6

Credits:
- Reported by Yelin and Zhangdongsheng from VenusTech
http://www.venustech.com.cn/
- Fixed by Damien Regad (MantisBT Developer)

References:
- MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=22537



2. CVE-2017-7309: XSS in adm_config_report.php

A cross-site scripting (XSS) vulnerability in the MantisBT
Configuration Report page (adm_config_report.php) allows remote
attackers to inject arbitrary code (if CSP settings permit it) through
a crafted 'config_option' parameter.

This is related to CVE-2017-6973 (see above) introduced by the same
change, affects same component, and same root cause of not escaping
parameter before output.

Affected versions: 1.3.0-rc.2 through 2.2.2
Fixed in versions: 1.3.9, 2.1.3, 2.2.3, 2.3.0 (not yet released*)

Patch:
- 1.3:
http://github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae
- 2.x:
http://github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358

Credits:
- Reported by Yelin and Zhangdongsheng from VenusTech
http://www.venustech.com.cn/
- Fixed by Damien Regad (MantisBT Developer)

References:
- MantisBT issue tracker http://www.mantisbt.org/bugs/view.php?id=22579


3. CVE-2017-7241: XSS in move_attachments_page.php

A cross-site scripting (XSS) vulnerability in the MantisBT Move
Attachements page (move_attachments_page.php, part of admin tools)
allows remote attackers to inject arbitrary code through a crafted
'type' parameter, if Content Security Protection (CSP) settings allows
it.

Note that this vulnerability is not exploitable if the admin tools
directory is removed, as recommended in the Admin Guide [1]. A
reminder to do so is also displayed on the login page.

Affected versions: 1.2.16 and later
Fixed in versions: 1.3.9, 2.1.3, 2.2.3, 2.3.0 (not yet released*)
Note that 1.2 branch is no longer supported, so no patch is provided for
that; please upgrade to a later version.

Patch:
- 1.3:
http://github.com/mantisbt/mantisbt/commit/d31841c806a3c8379fcf6c9d9559451270b0f1cb
- 2.x:
http://github.com/mantisbt/mantisbt/commit/ecef0e9b523a460709e8feedfce72f05bb30b992