Headline
GHSA-wgx7-jp56-65mq: Mantis Bug Tracker (MantisBT) vulnerable to cross-site scripting
Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
- resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
- viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
- printing issues (print_all_bug_page.php) when the custom field is displayed as a column
Impact
Cross-site scripting (XSS).
Patches
https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be
Workarounds
Ensure Custom Field Names do not contain HTML tags.
References
- https://mantisbt.org/bugs/view.php?id=34432
- This is related to CVE-2020-25830 (same root cause, different affected pages)
Package
composer mantisbt/mantisbt (Composer)
Affected versions
< 2.26.2
Patched versions
2.26.2
Description
Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
- resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
- viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
- printing issues (print_all_bug_page.php) when the custom field is displayed as a column
Impact
Cross-site scripting (XSS).
Patches
mantisbt/mantisbt@447a521
Workarounds
Ensure Custom Field Names do not contain HTML tags.
References
- https://mantisbt.org/bugs/view.php?id=34432
- This is related to CVE-2020-25830 (same root cause, different affected pages)
References
- GHSA-wgx7-jp56-65mq
- mantisbt/mantisbt@447a521
- https://mantisbt.org/bugs/view.php?id=34432
dregad published to mantisbt/mantisbt
May 12, 2024
Published to the GitHub Advisory Database
May 13, 2024
Reviewed
May 13, 2024
Last updated
May 13, 2024