Headline
CVE-2022-33910: MantisBT 2.25.5 released – Mantis Bug Tracker – Blog
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.
Skip to content
In order to stay up to date with the latest MantisBT news, please star our GitHub repository, follow us on Twitter and retweet to spread the word!
Go ahead and download the release from our website.
Security and maintenance release fixing vulnerabilities with SVG files attachments (CVE-2022-33910), which are now disabled by default; instances with a custom $g_disallowed_files should add svg to the list. Support for PHP 5.6 has been restored, fixing the regression introduced in 2.25.4.
- 0029135: [security] CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection (dregad)
- 0030541: [documentation] Impossibility of deleting attachment with form security validation turned on (dregad)
- 0030193: [bugtracker] PHP 5.6 support broken (dregad)
- 0030204: [filters] Create Permalink – special characters handling (dregad)
- 0030533: [security] Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote (community)
- 0030384: [security] CVE-2022-33910: Stored XSS via SVG file upload (dregad)
- 0030416: [security] Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8 (dregad)