Lucene search

Veracode Vulnerability DatabaseVERACODE:46884

HistoryMay 14, 2024 - 5:56 a.m.

Cross-Site Scripting

2024-05-1405:56:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mantisbt

cross-site scripting

input sanitization

html injection

javascript execution

software vulnerability

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

mantisbt/mantisbt is vulnerable to Cross-Site Scripting. The vulnerability is due to improper user input sanitization of the custom field’s name, allowing attackers to inject HTML and potentially execute arbitrary JavaScript in certain scenarios.

CPENameOperatorVersion
mantisbt/mantisbtle2.26.1
mantisbt/mantisbtle2.26.1

CPE	Name	Operator	Version
	mantisbt/mantisbt	le	2.26.1
	mantisbt/mantisbt	le	2.26.1

References

github.com/advisories/GHSA-wgx7-jp56-65mq

github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be

github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq

mantisbt.org/bugs/view.php?id=34432