VulnerableCode Package Details - pkg:composer/mantisbt/mantisbt@2.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-dy4y-w8g5-9udt Aliases: CVE-2018-14504 GHSA-74gh-5j33-vg4w	MantisBT allows XSS on the Edit Filter page via crafted filter name An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability in the Edit Filter page allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name (e.g., 'foobar" onclick="alert(1)').	2.15.1 Affected by 0 other vulnerabilities.
VCID-f6up-847f-duef Aliases: CVE-2017-7615 GHSA-252r-f55f-ff34	MantisBT allows arbitrary password reset MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.	2.2.4 Affected by 0 other vulnerabilities. 2.3.1 Affected by 0 other vulnerabilities.
VCID-gnd3-529f-ube6 Aliases: CVE-2017-12061 GHSA-98xr-mmq5-vc5h	MantisBT XSS allows unsanitized input via admin/install.php An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.	2.5.2 Affected by 0 other vulnerabilities.
VCID-qmgr-sz7u-7kam Aliases: CVE-2017-12062 GHSA-w93w-rx52-24qh	MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.	2.5.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dy4y-w8g5-9udt
Aliases:
CVE-2018-14504
GHSA-74gh-5j33-vg4w

MantisBT allows XSS on the Edit Filter page via crafted filter name An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability in the Edit Filter page allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name (e.g., 'foobar" onclick="alert(1)').

2.15.1
Affected by 0 other vulnerabilities.

VCID-f6up-847f-duef
Aliases:
CVE-2017-7615
GHSA-252r-f55f-ff34

MantisBT allows arbitrary password reset MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

2.2.4
Affected by 0 other vulnerabilities.

2.3.1
Affected by 0 other vulnerabilities.

VCID-gnd3-529f-ube6
Aliases:
CVE-2017-12061
GHSA-98xr-mmq5-vc5h

MantisBT XSS allows unsanitized input via admin/install.php An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

2.5.2
Affected by 0 other vulnerabilities.

VCID-qmgr-sz7u-7kam
Aliases:
CVE-2017-12062
GHSA-w93w-rx52-24qh

MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

2.5.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:43:43.908015+00:00	GitLab Importer	Affected by	VCID-qmgr-sz7u-7kam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2017-12062.yml	38.6.0
2026-06-02T04:43:17.819692+00:00	GitLab Importer	Affected by	VCID-dy4y-w8g5-9udt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2018-14504.yml	38.6.0
2026-06-02T04:43:05.752063+00:00	GitLab Importer	Affected by	VCID-gnd3-529f-ube6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2017-12061.yml	38.6.0
2026-06-02T04:42:58.587405+00:00	GitLab Importer	Affected by	VCID-f6up-847f-duef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2017-7615.yml	38.6.0