CVE-2016-7111 Mantisbt CVE debrief

Who should care

MantisBT administrators and developers, especially teams running affected versions with the Gravatar plugin enabled. Security teams responsible for web applications or issue trackers should also prioritize review because the flaw can affect user-facing browser sessions.

Technical summary

The supplied NVD record identifies affected MantisBT versions as before 1.3.1 and 2.x before 2.0.0-beta.2. The vulnerability is described as a weak CSP in the Gravatar plugin that permits XSS via unspecified vectors; NVD maps it to CWE-79 and a CVSS 3.0 vector of AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N.

Defensive priority

Medium. Prioritize upgrading affected MantisBT installations, especially if the Gravatar plugin is enabled on a public or broadly used instance.

Recommended defensive actions

• Upgrade MantisBT to a fixed release: 1.3.1 or later, or 2.0.0-beta.2 or later, based on the affected-version ranges in NVD.
• Confirm whether the Gravatar plugin is enabled in each deployment and treat those instances as higher priority for remediation.
• Apply the vendor patch/reference associated with the fix if you maintain a fork or backport the change into a packaged build.
• Review browser-facing security controls for the application, including CSP behavior, to ensure plugin-specific content is not excessively trusted.
• Monitor for signs of XSS abuse in MantisBT user sessions and related application logs while remediation is underway.

Evidence notes

Evidence comes from the supplied NVD CVE record and its references. The record lists the vulnerability as CWE-79, provides the CVSS 3.0 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N, and identifies affected versions as before 1.3.1 and 2.0.0-beta.2. NVD also cites OSS-security mailing-list posts, a GitHub patch commit, and a vendor advisory/bug tracker entry. The CVE was published on 2017-02-17; the supplied source metadata was last modified on 2026-05-13.

Official resources