VulnerableCode Package Details - pkg:composer/mantisbt/mantisbt@2.5.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-jqsn-z754-57ek Aliases: CVE-2020-25781 GHSA-xjmx-cprh-646r	MantisBT unauthorized users able to access private files An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.	2.24.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jqsn-z754-57ek
Aliases:
CVE-2020-25781
GHSA-xjmx-cprh-646r

MantisBT unauthorized users able to access private files An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.

2.24.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gnd3-529f-ube6	MantisBT XSS allows unsanitized input via admin/install.php An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.	CVE-2017-12061 GHSA-98xr-mmq5-vc5h
VCID-qmgr-sz7u-7kam	MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.	CVE-2017-12062 GHSA-w93w-rx52-24qh

Vulnerability

Summary

Aliases

VCID-gnd3-529f-ube6

MantisBT XSS allows unsanitized input via admin/install.php An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.

CVE-2017-12061
GHSA-98xr-mmq5-vc5h

VCID-qmgr-sz7u-7kam

MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being rendered in the Manage User page, allowing remote attackers to execute arbitrary JavaScript code if CSP is disabled.

CVE-2017-12062
GHSA-w93w-rx52-24qh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:51:38.385757+00:00	GHSA Importer	Affected by	VCID-jqsn-z754-57ek	https://github.com/advisories/GHSA-xjmx-cprh-646r	38.6.0
2026-06-04T18:05:52.966599+00:00	GithubOSV Importer	Fixing	VCID-gnd3-529f-ube6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98xr-mmq5-vc5h/GHSA-98xr-mmq5-vc5h.json	38.6.0
2026-06-04T18:03:35.368091+00:00	GithubOSV Importer	Fixing	VCID-qmgr-sz7u-7kam	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w93w-rx52-24qh/GHSA-w93w-rx52-24qh.json	38.6.0
2026-06-02T04:43:43.911671+00:00	GitLab Importer	Fixing	VCID-qmgr-sz7u-7kam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2017-12062.yml	38.6.0
2026-06-02T04:43:05.764239+00:00	GitLab Importer	Fixing	VCID-gnd3-529f-ube6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2017-12061.yml	38.6.0