1149 matches found
MantisBT 2.26.1 < 2.28.2 Private Issue Monitoring Authorization Bypass (GHSA-ggw7-9675-6v4v)
The version of MantisBT installed on the remote host is 2.26.1 or later but prior to 2.28.2. It is, therefore, affected by a vulnerability: - MantisBT has an authorization bypass in private issue monitoring. CVE-2026-34579 Note that Nessus has not tested for this issue but has instead relied only...
MantisBT 2.23.0 < 2.28.2 Private Bugnote Attachment Content Leak (GHSA-pw5x-2mf9-3xc8)
The version of MantisBT installed on the remote host is 2.23.0 or later but prior to 2.28.2. It is, therefore, affected by a vulnerability: - MantisBT has a Private Bugnote Attachment Content Leak via REST API. CVE-2026-42071 Note that Nessus has not tested for this issue but has instead relied...
MantisBT 1.3.0 < 2.28.2 Move Attachments Admin Page Stored XSS (GHSA-7mqj-8gj2-cg59)
The version of MantisBT installed on the remote host is 1.3.0 or later but prior to 2.28.2. It is, therefore, affected by a vulnerability: - MantisBT has Stored XSS on Move Attachments Admin Page. CVE-2026-44655 Note that Nessus has not tested for this issue but has instead relied only on the...
MantisBT < 2.28.2 Multiple Vulnerabilities
The version of MantisBT installed on the remote host is prior to 2.28.2. It is, therefore, affected by multiple vulnerabilities: - MantisBT is vulnerable to Privilege Escalation from Manager to Administrator. CVE-2026-34390 - MantisBT is vulnerable to Authorization Bypass in Bugnote Editing via...
MantisBT has Stored XSS on Move Attachments Admin Page
Unescaped Project Name allows an attacker that can set it which typically requires manager or administrator access level to inject HTML in Move Attachments admin page. Impact Cross-site scripting XSS. This is mitigated by Content Security Policy which restricts scripts execution. Patches -...
GHSA-7MQJ-8GJ2-CG59 MantisBT has Stored XSS on Move Attachments Admin Page
Unescaped Project Name allows an attacker that can set it which typically requires manager or administrator access level to inject HTML in Move Attachments admin page. Impact Cross-site scripting XSS. This is mitigated by Content Security Policy which restricts scripts execution. Patches -...
GHSA-PW5X-2MF9-3XC8 MantisBT has a Private Bugnote Attachment Content Leak via REST API
A missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/id/files and SOAP API mcissueattachmentget endpoint. Impact -...
MantisBT has a Private Bugnote Attachment Content Leak via REST API
A missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/id/files and SOAP API mcissueattachmentget endpoint. Impact -...
Missing Authorization
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Missing Authorization in the file visibility process. An attacker can access unauthorized file attachments by sending requests to the REST API or SOAP API endpoints. Remediation Upgrade...
GHSA-J7V9-F46R-2RP4 MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field
Lack of validation of filtertarget parameter on returndynamicfilters.php normally used as an AJAX in View Issues Page allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. Impact Cross-site scripting XSS Patches - c885af13f0b8596714ffe11df757c09f35fbd8f4 Workaround...
MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field
Lack of validation of filtertarget parameter on returndynamicfilters.php normally used as an AJAX in View Issues Page allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. Impact Cross-site scripting XSS Patches - c885af13f0b8596714ffe11df757c09f35fbd8f4 Workaround...
MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column
Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $gshowuserrealname = ON. Impact Cross-site scripting XSS. Note that By default, only users with Manager access level or above can save their filters publicly Patches -...
GHSA-F633-865Q-2MHH MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column
Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $gshowuserrealname = ON. Impact Cross-site scripting XSS. Note that By default, only users with Manager access level or above can save their filters publicly Patches -...
GHSA-6JH4-47V2-4G37 MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Improper escaping of the redirection page retrieved from the request's Referer header allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leadi...
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Improper escaping of the redirection page retrieved from the request's Referer header allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leadi...
MantisBT has a Content Security Policy bypass via attachments
Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the filedownload.php link, will be downloaded with a valid JavaScript MIME type resulting in...
Improperly Implemented Security Check for Standard
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the filedownload.php process. An attacker can execute arbitrary JavaScript code in the context of a user's browser by uploading a specially...
MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference
Any authenticated user can inject arbitrary HTML via updating their account's font family. Impact Cross-site scripting. The injected payload will be reflected in every MantisBT page. Leveraging another vulnerability CSP bypass, see GHSA-9c3j-xm6v-j7j3, the attacker could achieve account takeover...
GHSA-J3V9-553H-X28J MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference
Any authenticated user can inject arbitrary HTML via updating their account's font family. Impact Cross-site scripting. The injected payload will be reflected in every MantisBT page. Leveraging another vulnerability CSP bypass, see GHSA-9c3j-xm6v-j7j3, the attacker could achieve account takeover...
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
Improper escaping of a textarea custom field's contents in the Update Issue page bugupdatepage.php allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. Impact Session theft leading to admin account takeover, full project data access....