CVE-2017-12061

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 1.3.12 MantisBT versions 2.x prior to 2.5.2

Description A security issue was found in the installation script of MantisBT, where certain variables, such as $f database, $f db username, and $f admin username, are not properly sanitized, allowing remote attackers to inject arbitrary JavaScript code. This issue is mitigated by the recommended practice of deleting the admin folder after installation and is also prevented by Content Security Policy (CSP).

Recommendations For MantisBT versions prior to 1.3.12, update to version 1.3.12 or later. For MantisBT versions 2.x prior to 2.5.2, update to version 2.5.2 or later. As a temporary workaround, consider deleting the admin folder after installation to minimize the risk of exploitation.