Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49802: XSS in linked Custom Field's values

The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT’s default Content Security Policy, which blocks script execution.

CVE
Open in Source
#xss#java

Moderate

dregad published GHSA-2f37-9xpx-5hhw

Dec 10, 2023

Package

No package listed

Description

Impact

Cross-site scripting in MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one.

Patches

See commit 30e5ae7
Fixed in release 2.0.1

Workarounds

MantisBT’s default Content Security Policy blocks script execution.

References

#11

Severity

CVSS base metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Weaknesses

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE