VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-23t9-317h-4fem

Essentials
Severities (15)
References (9)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-23t9-317h-4fem
Aliases	CVE-2017-7309 GHSA-4w6c-3hcx-rfj5
Summary	MantisBT vulnerable to XSS through config_option parameter in adm_config_report.php A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3.
Status	Published
Exploitability	0.5
Weighted Severity	0.0
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	4.8	http://openwall.com/lists/oss-security/2017/03/30/4
generic_textual	MODERATE	http://openwall.com/lists/oss-security/2017/03/30/4
epss	0.02475	https://api.first.org/data/v1/epss?cve=CVE-2017-7309
cvssv3.1	4.8	https://github.com/mantisbt/mantisbt
generic_textual	MODERATE	https://github.com/mantisbt/mantisbt
cvssv3.1	4.8	https://github.com/mantisbt/mantisbt/commit/0243375e32bc24878e309f3d6ef6d8cfb3e2f278
generic_textual	MODERATE	https://github.com/mantisbt/mantisbt/commit/0243375e32bc24878e309f3d6ef6d8cfb3e2f278
cvssv3.1	4.8	https://github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae
generic_textual	MODERATE	https://github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae
cvssv3.1	4.8	https://github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358
generic_textual	MODERATE	https://github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358
cvssv3.1	4.8	https://nvd.nist.gov/vuln/detail/CVE-2017-7309
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2017-7309
cvssv3.1	4.8	http://www.mantisbt.org/bugs/view.php?id=22579
generic_textual	MODERATE	http://www.mantisbt.org/bugs/view.php?id=22579

Reference id	Reference type	URL
		http://openwall.com/lists/oss-security/2017/03/30/4
		https://api.first.org/data/v1/epss?cve=CVE-2017-7309
		https://github.com/mantisbt/mantisbt
		https://github.com/mantisbt/mantisbt/commit/0243375e32bc24878e309f3d6ef6d8cfb3e2f278
		https://github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae
		https://github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358
		http://www.mantisbt.org/bugs/view.php?id=22579
CVE-2017-7309		https://nvd.nist.gov/vuln/detail/CVE-2017-7309
GHSA-4w6c-3hcx-rfj5		https://github.com/advisories/GHSA-4w6c-3hcx-rfj5

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at http://openwall.com/lists/oss-security/2017/03/30/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt/commit/0243375e32bc24878e309f3d6ef6d8cfb3e2f278

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt/commit/c9e5b1d0404503022605459552faeaf610bf15ae

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt/commit/e881dd79df422033bbea88914fc0a717fae40358

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-7309

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at http://www.mantisbt.org/bugs/view.php?id=22579

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.85532
EPSS Score	0.02475
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T20:59:18.994055+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2017-7309.yml	38.6.0