Bug 1031807 (CVE-2017-6973)

Summary: VUL-0: CVE-2017-6973,CVE-2017-7309,CVE-2017-7241: mantis,mantisbt: XSS issues
Product: [openSUSE] openSUSE.org Reporter: Andreas Stieger <astieger>
Component: 3rd party softwareAssignee: Andreas Stieger <astieger>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2017-03-31 07:21:50 UTC 
courtesy bug:

server:php:applications/mantis
server:php:applications/mantisbt

http://seclists.org/oss-sec/2017/q1/695

1. CVE-2017-6973: XSS in adm_config_report.php

A cross-site scripting (XSS) vulnerability in the MantisBT
Configuration Report page (adm_config_report.php) allows remote
attackers to inject arbitrary code through a crafted 'action'
parameter.

Affected versions: 1.3.0-rc.2 through 2.2.1
Fixed in versions: 1.3.8, 2.1.2, 2.2.2 (released 2017-03-22), 2.3.0 (not
yet released*)

Patch:
- 1.3:
http://github.com/mantisbt/mantisbt/commit/034cd07b47af37366fc7b726cb4a4f971d3d3fb9
- 2.x:
http://github.com/mantisbt/mantisbt/commit/da74c5aa02bcf21cfaab1180f892c22415e5fea6

Credits:
- Reported by Yelin and Zhangdongsheng from VenusTech
http://www.venustech.com.cn/
- Fixed by Damien Regad (MantisBT Developer)

References:
- MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=22537



2. CVE-2017-7309: XSS in adm_config_report.php

A cross-site scripting (XSS) vulnerability in the MantisBT
Configuration Report page (adm_config_report.php) allows remote
attackers to inject arbitrary code (if CSP settings permit it) through
a crafted 'config_option' parameter.

This is related to CVE-2017-6973 (see above) introduced by the same
change, affects same component, and same root cause of not escaping
parameter before output.

Affected versions: 1.3.0-rc.2 through 2.2.2
Fixed in versions: 1.3.9, 2.1.3, 2.2.3, 2.3.0 (not yet released*)

Patch:
- 1.3:
http://github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae
- 2.x:
http://github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358

Credits:
- Reported by Yelin and Zhangdongsheng from VenusTech
http://www.venustech.com.cn/
- Fixed by Damien Regad (MantisBT Developer)

References:
- MantisBT issue tracker http://www.mantisbt.org/bugs/view.php?id=22579


3. CVE-2017-7241: XSS in move_attachments_page.php

A cross-site scripting (XSS) vulnerability in the MantisBT Move
Attachements page (move_attachments_page.php, part of admin tools)
allows remote attackers to inject arbitrary code through a crafted
'type' parameter, if Content Security Protection (CSP) settings allows
it.

Note that this vulnerability is not exploitable if the admin tools
directory is removed, as recommended in the Admin Guide [1]. A
reminder to do so is also displayed on the login page.

Affected versions: 1.2.16 and later
Fixed in versions: 1.3.9, 2.1.3, 2.2.3, 2.3.0 (not yet released*)
Note that 1.2 branch is no longer supported, so no patch is provided for
that; please upgrade to a later version.

Patch:
- 1.3:
http://github.com/mantisbt/mantisbt/commit/d31841c806a3c8379fcf6c9d9559451270b0f1cb
- 2.x:
http://github.com/mantisbt/mantisbt/commit/ecef0e9b523a460709e8feedfce72f05bb30b992