GoogleOSV:GHSA-WGX7-JP56-65MQMantis Bug Tracker (MantisBT) vulnerable to cross-site scripting
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
24.0%
Improper escaping of a custom field’s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:
- resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
- viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
- printing issues (print_all_bug_page.php) when the custom field is displayed as a column
Impact
Cross-site scripting (XSS).
Patches
https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be
Workarounds
Ensure Custom Field Names do not contain HTML tags.
References
- https://mantisbt.org/bugs/view.php?id=34432
- This is related to CVE-2020-25830 (same root cause, different affected pages)
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
24.0%