Cross-site scripting in Custom Field name

Moderate

dregad published GHSA-wgx7-jp56-65mq

May 12, 2024

Package

mantisbt (Composer)

Affected versions

< 2.26.2

Patched versions

2.26.2

Description

Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:

resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
printing issues (print_all_bug_page.php) when the custom field is displayed as a column

Impact

Cross-site scripting (XSS).

Patches

Workarounds

Ensure Custom Field Names do not contain HTML tags.

References

https://mantisbt.org/bugs/view.php?id=34432
This is related to CVE-2020-25830 (same root cause, different affected pages)

Severity

Moderate

6.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L