MantisBT up to 1.3.0/2.0.0-beta.1 Filter API view_all_bug_page.php view_type cross site scripting
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.0 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in MantisBT up to 1.3.0/2.0.0-beta.1. This affects an unknown function of the file /mantis/view_all_bug_page.php of the component Filter API. Such manipulation of the argument view_type with the input "><script>alert('XSS');</script> leads to cross site scripting.
This vulnerability is referenced as CVE-2016-6837. It is possible to launch the attack remotely. Furthermore, an exploit is available.
A patch should be applied to remediate this issue.
Details
A vulnerability was found in MantisBT up to 1.3.0/2.0.0-beta.1 (Bug Tracking Software). It has been rated as problematic. Affected by this issue is some unknown functionality of the file /mantis/view_all_bug_page.php of the component Filter API. The manipulation of the argument view_type with the input value "><script>alert('XSS');</script> leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. CVE summarizes:
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the view_type parameter.
The weakness was published 08/16/2016 by Will Dollman as confirmed git commit (GIT Repository). The advisory is available at github.com. This vulnerability is handled as CVE-2016-6837. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. Technical details as well as a public exploit are known. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project.
A public exploit has been developed in URL. The exploit is available at vuldb.com. It is declared as proof-of-concept. By approaching the search of inurl:mantis/view_all_bug_page.php it is possible to find vulnerable targets with Google Hacking. The vulnerability scanner Nessus provides a plugin with the ID 96992 (FreeBSD : mantis -- XSS vulnerability (2b63e964-eb04-11e6-9ac1-a4badb2f4699)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks. The code used by the exploit is:
http://[target]/mantis/view_all_bug_page.php?view_type="><script>alert('XSS');</script>Upgrading to version 1.3.1 or 2.0.0-beta.2 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
if( $p_filter_arr['_view_type'] !== 'advanced' ) {
$p_filter_arr['_view_type'] = 'simple';
}The vulnerability is also documented in the databases at Tenable (96992), SecurityFocus (BID 92522†) and SecurityTracker (ID 1036655†). If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.2VulDB Meta Temp Score: 5.0
VulDB Base Score: 4.3
VulDB Temp Score: 3.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-79 / CWE-94 / CWE-74
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Programming Language: 🔍
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 96992
Nessus Name: FreeBSD : mantis -- XSS vulnerability (2b63e964-eb04-11e6-9ac1-a4badb2f4699)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 103214
OpenVAS Name: MantisBT view_type Cross Site Scripting Vulnerability (Windows)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: MantisBT 1.3.1/2.0.0-beta.2
Patch: github.com
Timeline
08/16/2016 🔍08/16/2016 🔍
08/17/2016 🔍
08/18/2016 🔍
08/20/2016 🔍
01/10/2017 🔍
04/20/2025 🔍
Sources
Product: github.comAdvisory: 7086c2d8b4b20ac14013b36761ac04f0abf21a4e
Researcher: Will Dollman
Status: Confirmed
CVE: CVE-2016-6837 (🔍)
GCVE (CVE): GCVE-0-2016-6837
GCVE (VulDB): GCVE-100-90890
SecurityFocus: 92522
SecurityTracker: 1036655 - MantisBT Input Validation Flaw in Filter API Lets Remote Users Conduct Cross-Site Scripting Attacks
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 08/20/2016 19:08Updated: 04/20/2025 14:23
Changes: 08/20/2016 19:08 (53), 08/20/2016 19:11 (21), 09/14/2022 09:09 (4), 09/14/2022 09:10 (1), 04/20/2025 14:23 (26)
Complete: 🔍
Cache ID: 216:485:103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.