CVE-2014-8987

Name of the Vulnerable Software and Affected Versions MantisBT versions 1.2.13 through 1.2.17

Description A cross-site scripting (XSS) issue exists in the Configuration Report page, specifically in the "set configuration" box, allowing remote administrators to inject arbitrary web script or HTML. This is achieved via the config option parameter in the adm config report.php page.

Recommendations For MantisBT versions 1.2.13 through 1.2.17, consider restricting access to the Configuration Report page until a fix is available. As a temporary workaround, avoid using the config option parameter in the adm config report.php page to minimize the risk of exploitation.