CVE-2017-7897

Name of the Vulnerable Software and Affected Versions MantisBT versions 2.3.x through 2.3.1

Description A cross-site scripting issue exists due to the use of unsanitized $ SERVER['PHP SELF'] to generate URLs, allowing remote attackers to inject arbitrary code through crafted PATH INFO in a URL, if Content Security Policy (CSP) settings permit it. This issue affects the Timeline include page, which is used in My View and User Information pages.

Recommendations For MantisBT versions 2.3.x through 2.3.1, update to version 2.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the My View and User Information pages until the update is applied. Additionally, review and adjust CSP settings to minimize the risk of code injection.