Lucene search

GoogleOSV:CVE-2024-34081

HistoryMay 14, 2024 - 3:38 p.m.

CVE-2024-34081

2024-05-1415:38:30

Google

osv.dev

mantisbt

html injection

javascript execution

custom field

patch

security issue

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field, viewing issues (view_all_bug_page.php) when the custom field is displayed as a column, or printing issues (print_all_bug_page.php) when the custom field is displayed as a column. Version 2.26.2 contains a patch for the issue. As a workaround, ensure Custom Field Names do not contain HTML tags.

CPENameOperatorVersion
mantisbteqrelease-2.25.8
mantisbteqrelease-1.3.0-beta.1
mantisbteqrelease-2.0.0-beta.1
mantisbteqrelease-2.0.0-rc.1
mantisbteqrelease-2.1.1
mantisbteqrelease-2.23.0
mantisbteqrelease-1.3.0-beta.2
mantisbteqrelease-2.0.0-rc.2
mantisbteqrelease-2.0.0-beta.3
mantisbteqrelease-2.24.5

Name	Operator	Version
mantisbt	eq	release-2.25.8
mantisbt	eq	release-1.3.0-beta.1
mantisbt	eq	release-2.0.0-beta.1
mantisbt	eq	release-2.0.0-rc.1
mantisbt	eq	release-2.1.1
mantisbt	eq	release-2.23.0
mantisbt	eq	release-1.3.0-beta.2
mantisbt	eq	release-2.0.0-rc.2
mantisbt	eq	release-2.0.0-beta.3
mantisbt	eq	release-2.24.5

Rows per page:

1-10 of 751

References

github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be

github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq

mantisbt.org/bugs/view.php?id=34432