MantisBT is a Web-based open source defect tracking system from the Mantisbt team. A cross-site scripting vulnerability exists in versions of MantisBT prior to 2.25.5. The vulnerability stems from allowing a remote attacker to attach a crafted SVG document to issue a report or bug note, and when a user or administrator clicks on the attachment file_download.php opens in the browser tab Instead of downloading the SVG document as a file, an attacker could exploit the vulnerability to cause JavaScript code execution.