Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
Cross-site scripting (XSS).
https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be
Ensure Custom Field Names do not contain HTML tags.
CPE | Name | Operator | Version |
---|---|---|---|
mantisbt/mantisbt | lt | 2.26.2 |