Lucene search

[email protected]CVE-2019-15539

HistoryMar 19, 2020 - 7:15 p.m.

CVE-2019-15539

2020-03-1919:15:11

CWE-79

[email protected]

web.nvd.nist.gov

cve-2019-15539

mantisbt

xss

security vulnerability

csp settings

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed when editing the document’s page.

CPE configuration

NVD

mantisbtmantisbtRange<2.21.3

CPENameOperatorVersion
mantisbt:mantisbtmantisbtlt2.21.3

CPE	Name	Operator	Version
mantisbt:mantisbt	mantisbt	lt	2.21.3

References

github.com/mantisbt/mantisbt/commit/bd094dede74ff6e313e286e949e2387233a96eea

mantisbt.org/bugs/view.php?id=26078

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Related for CVE-2019-15539

cvelist1 prion1 openvas2 nvd1 osv1