CVE-2017-7222

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.1.1

Description A cross-site scripting (XSS) issue exists due to insufficient protection of the web page structure. This allows a remote attacker to inject arbitrary HTML or JavaScript code by modifying the window title in the application configuration, which requires administrator access rights or alteration of the system configuration file (config inc.php).

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the MantisBT configuration management pages to prevent unauthorized modifications to the window title setting.