1149 matches found
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Improper escaping of Tag name when deleting it in tagdelete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Impact Cross-site scripting XSS. Patches 80990f43153167c73f11eb4b2bc7108d0c3d6b46 Workarounds Revert commit...
MantisBT < 2.28.1 SOAP API Authentication Bypass (GHSA-phrq-pc6r-f6gh)
The version of MantisBT installed on the remote host is prior to 2.28.1. It is, therefore, affected by a vulnerability: - An authentication bypass vulnerability exists in the SOAP API due to improper type checking on the password parameter when running on MySQL family databases. Using a crafted...
MantisBT 2.28.x < 2.28.2 Timeline Tag Name XSS (GHSA-73vx-49mv-v8w5)
The version of MantisBT installed on the remote host is 2.28.x prior to 2.28.2. It is, therefore, affected by a vulnerability: - A cross-site scripting XSS vulnerability exists in the Timeline view myviewpage.php due to improper escaping of tag names retrieved from History. An attacker can inject...
MantisBT 2.28.0 Tag Deletion XSS (GHSA-fh48-f69w-7vmp)
The version of MantisBT installed on the remote host is 2.28.0. It is, therefore, affected by a vulnerability: - A cross-site scripting XSS vulnerability exists in the tag deletion confirmation page tagdelete.php due to improper escaping of the tag name when displaying the confirmation message. A...
CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...
Exploit for OS Command Injection in Mantisbt
CVE-2019...
CVE-2023-49802
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin an...
Authentication Bypass
mantisbt/mantisbt is vulnerable to Authentication Bypass. The vulnerability is due to the use of loose comparison == instead of strict comparison === in authentication logic, which allows an attacker to exploit MD5 hash collisions interpreted as numeric zero and gain unauthorized access without...
CVE-2025-55155
CVE-2025-55155 affects MantisBT up to version 2.27.1, where changing a user’s email address isn’t validated for ownership. This can lead to storing an invalid email and potential information disclosure via notifications sent to another user’s address. The issue is fixed in version 2.27.2. Affecte...
CVE-2025-47776 MantisBT: Authentication bypass for some passwords due to PHP type juggling
Mantis Bug Tracker MantisBT is an open source issue tracker. Due to incorrect use of loose == instead of strict === comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instanc...
EUVD-2025-37509
Mantis Bug Tracker MantisBT is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes tested with 4,788,761 characters due to a lack of server-side validation of note length. Once such a note is added,...
MantisBT 授权问题漏洞
MantisBT is a Web-based open source defect tracking system of the MantisBT team . The system provides project management and defect tracking services in the form of Web operations. An authorization issue vulnerability exists in MantisBT 2.27.1 and earlier versions, which stems from insufficient...
MantisBT 安全漏洞
MantisBT is a Web-based open source defect tracking system from the MantisBT team. The system provides project management and defect tracking services in a web-operated format. A security vulnerability exists in MantisBT 2.27.1 and earlier versions that stems from the use of loose comparisons...
MantisBT 安全漏洞
MantisBT is a Web-based open source defect tracking system from the MantisBT team. The system provides project management and defect tracking services in a web-operated format. A security vulnerability exists in MantisBT 2.27.1 and earlier versions, which stems from an unvalidated comment length...
GHSA-G582-8VWR-68H2 MantisBT unauthorized disclosure of private project column configuration
Impact Due to insufficient access-level checks, any non-admin user having access to manageconfigcolumnspage.php typically project managers having MANAGER role can use the Copy From action to retrieve the columns configuration from a private project they have no access to. Access to the reverse...
GHSA-Q747-C74M-69PR MantisBT lacks verification when changing a user's email address
When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. Impact This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person'...
GHSA-R3JF-HM7Q-QFW5 MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes tested with 4,788,761 characters. Once such a note is added: Impact - The entire activity stream becomes unviewable UI fails to render. - New...
GHSA-4V8W-GG5J-PH37 MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
Due to an incorrect use of loose == instead of strict === comparison in the authentication code1, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. 1:...
EUVD-2025-37510
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling...
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
Due to an incorrect use of loose == instead of strict === comparison in the authentication code1, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. 1:...