39 matches found
CVE-2026-33517
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
EUVD-2017-15996
Malware in sbrugna...
EUVD-2020-23238
Malware in sbrugna...
EUVD-2020-29811
Malware in sbrugna...
EUVD-2022-44202
Malicious code in bioql PyPI...
CVE-2024-34081
CVE-2024-34081 affects MantisBT up to version 2.26.2. Improper escaping of a custom field name lets an attacker inject HTML and, if CSP allows, execute arbitrary JavaScript when resolving/closing issues, viewing issues as a column, or printing issues. Root cause: unescaped HTML in the custom fiel...
Ubuntu 18.04 LTS / 20.04 LTS : Firefox vulnerabilities (USN-5649-1)
The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5649-1 advisory. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could...
Oracle Linux 8 : thunderbird (ELSA-2022-6708)
The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-6708 advisory. 102.3.0-3.0.1 - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js 102.3.0-3 - Update to 102.3.0 build1 Tenable has...
MantisBT XSS in manage_custom_field_update.php
An issue was discovered in MantisBT through 2.24.3. In the helperensureconfirmed call in managecustomfieldupdate.php, the custom field name is not sanitized. This may be problematic depending on CSP settings...
CVE-2018-13055
A cross-site scripting XSS vulnerability in the View Filters page viewfilterspage.php in MantisBT 2.1.0 through 2.15.0 allows remote attackers to inject arbitrary code if CSP settings permit it through a crafted PATHINFO...
MantisBT allows XSS via the Manage Filter page
A cross-site scripting XSS vulnerability in the Manage Filters page managefilterpage.php in MantisBT 2.1.0 through 2.17.1 allows remote attackers if access rights permit it to inject arbitrary code if CSP settings permit it through a crafted project name...
CVE-2020-35571
An issue was discovered in MantisBT through 2.24.3. In the helperensureconfirmed call in managecustomfieldupdate.php, the custom field name is not sanitized. This may be problematic depending on CSP settings...
CVE-2020-35571
An issue was discovered in MantisBT through 2.24.3. In the helperensureconfirmed call in managecustomfieldupdate.php, the custom field name is not sanitized. This may be problematic depending on CSP settings...
Code injection
An issue was discovered in MantisBT through 2.24.3. In the helperensureconfirmed call in managecustomfieldupdate.php, the custom field name is not sanitized. This may be problematic depending on CSP settings...
CVE-2020-35571
An issue was discovered in MantisBT through 2.24.3. In the helperensureconfirmed call in managecustomfieldupdate.php, the custom field name is not sanitized. This may be problematic depending on CSP settings...
CVE-2020-25830
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...
CVE-2020-25288
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of...
CVE-2019-15539
The CVE-2019-15539 entry concerns MantisBT before version 2.21.3, affecting the proj_doc_edit_page.php Project Documentation feature. The vulnerability is a stored XSS flaw triggered when uploading an attachment with a crafted filename; the injected script is executed when editing the document pa...
CVE-2019-15539
The projdoceditpage.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting XSS vulnerability, allowing execution of arbitrary code if CSP settings permit it after uploading an attachment with a crafted filename. The code is executed when editing the document...
CVE-2019-15074
The Timeline feature in myviewpage.php in MantisBT through 2.21.1 has a stored cross-site scripting XSS vulnerability, allowing execution of arbitrary code if CSP settings permit it after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the...