CVE-2017-7620 - OpenCVE

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mantisbt	Mantisbt

Configuration 1 [-]

OR	cpe:2.3:a:mantisbt:mantisbt::::::::
	cpe:2.3:a:mantisbt:mantisbt:2.0.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.0.1:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.1.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.1.1:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.1.2:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.2.0:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.2.2:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.2.3:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.2.4:::::::*
	cpe:2.3:a:mantisbt:mantisbt:2.4.0:::::::*

References

Link	Resource
http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt	Exploit Third Party Advisory
http://www.securitytracker.com/id/1038538
https://mantisbt.org/bugs/view.php?id=22702	Issue Tracking
https://mantisbt.org/bugs/view.php?id=22816	Issue Tracking
https://www.exploit-db.com/exploits/42043/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-05-21T14:00:00

Updated: 2017-07-07T09:57:01

Reserved: 2017-04-10T00:00:00

Link: CVE-2017-7620

JSON object: View

NVD Information

Status : Modified

Published: 2017-05-21T14:29:00.180

Modified: 2017-07-08T01:29:17.193

Link: CVE-2017-7620

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-05-21T00:00:00", "descriptions": [{"lang": "en", "value": "MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \\/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-07T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://mantisbt.org/bugs/view.php?id=22816"}, {"name": "1038538", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038538"}, {"name": "42043", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/42043/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://mantisbt.org/bugs/view.php?id=22702"}, {"tags": ["x_refsource_MISC"], "url": "http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7620", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \\/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://mantisbt.org/bugs/view.php?id=22816", "refsource": "CONFIRM", "url": "https://mantisbt.org/bugs/view.php?id=22816"}, {"name": "1038538", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038538"}, {"name": "42043", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42043/"}, {"name": "https://mantisbt.org/bugs/view.php?id=22702", "refsource": "CONFIRM", "url": "https://mantisbt.org/bugs/view.php?id=22702"}, {"name": "http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt", "refsource": "MISC", "url": "http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7620", "datePublished": "2017-05-21T14:00:00", "dateReserved": "2017-04-10T00:00:00", "dateUpdated": "2017-07-07T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mantisbt:mantisbt:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0A45AF0-9B5E-4445-BF5F-7FDE0DECB951", "versionEndIncluding": "1.3.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B537D8BB-944B-4B92-B48D-0CA5A2D01372", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "39492D12-1A13-43CE-84A7-F5CCFB87D612", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3E6AF670-28C3-4D7E-9EB4-E0B366CE818E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "021CC8F4-B310-4DBF-9D50-B8A357158E4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "D73E7205-12E1-4C57-A120-91C4C0760305", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "2550F1FD-5104-4BAA-80F6-C6202D7326B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "5F89D994-7F93-4839-8A57-F4CD633576E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "2154CE53-2DED-4023-96D5-515468E226B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "CFF4779C-8E14-4CB1-BCB4-80F4C5020629", "vulnerable": true}, {"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "9258FCA1-6948-4DFE-BE50-5A39B5A64120", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \\/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Permalink Injection via CSRF attacks on a permalink_page.php?url= URI and (2) an open redirect via a login_page.php?return= URI."}, {"lang": "es", "value": "MantisBT antes de v1.3.11, 2.x antes de v2.3.3 y 2.4.x antes de v2.4.1 omite una verificaci\u00f3n de barra invertida en string_api.php y, en consecuencia, tiene interpretaciones conflictivas de una subcadena inicial \\/ como introducci\u00f3n de una ruta de acceso local o un host remoto, que conduce a (1) una inyecci\u00f3n arbitraria de HTTP a trav\u00e9s de ataques CSRF en un URI permalink_page.php?url= y (2) una redirecci\u00f3n abierta a trav\u00e9s de un URI login_page.php?return=."}], "id": "CVE-2017-7620", "lastModified": "2017-07-08T01:29:17.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-21T14:29:00.180", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1038538"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://mantisbt.org/bugs/view.php?id=22702"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://mantisbt.org/bugs/view.php?id=22816"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.exploit-db.com/exploits/42043/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}