3 matches found
CVE-2019-15074
CVE-2019-15074 describes a stored XSS in MantisBT (Timeline feature in my_view_page.php) affecting versions up to 2.21.1. The vulnerability occurs when an attacker uploads an attachment with a crafted filename; the injected script is executed for any user who can view the issue when My View Page ...
CVE-2018-17782
A cross-site scripting XSS vulnerability in the Manage Filters page managefilterpage.php in MantisBT 2.1.0 through 2.17.1 allows remote attackers if access rights permit it to inject arbitrary code if CSP settings permit it through a crafted project name...
CVE-2017-7309
A cross-site scripting XSS vulnerability in the MantisBT Configuration Report page admconfigreport.php allows remote attackers to inject arbitrary code if CSP settings permit it through a crafted 'configoption' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3...