PT-2017-17848 · Mantisbt · Mantisbt

Hyp3Rlinx

Published

2017-05-21

Updated

2022-05-17

CVE-2017-7620

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 1.3.11 MantisBT versions 2.x prior to 2.3.3 MantisBT versions 2.4.x prior to 2.4.1

Description The issue arises from the omission of a backslash check in string api.php, leading to conflicting interpretations of an initial / substring as either introducing a local pathname or a remote hostname. This results in two main problems: (1) arbitrary Permalink Injection via CSRF attacks on a "permalink page.php?url=" URI, and (2) an open redirect via a "login page.php?return=" URI.

Recommendations For MantisBT versions prior to 1.3.11, update to version 1.3.11 or later. For MantisBT versions 2.x prior to 2.3.3, update to version 2.3.3 or later. For MantisBT versions 2.4.x prior to 2.4.1, update to version 2.4.1 or later.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-7620

GHSA-9X76-MP7R-2XC5

Affected Products

Mantisbt

PT-2017-17848 · Mantisbt · Mantisbt

CVE-2017-7620

Weakness Enumeration

Related Identifiers

Affected Products

References · 12