This is fixed in 1.3.8, 2.1.2, and 2.2.2.Īn XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by crafting any valid parameter.Ī cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'view_type' parameter.Ī cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter.
This requires privileged access to MantisBT configuration management pages (i.e., administrator access rights) or altering the system configuration file (config_inc.php).Ī cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. A reminder to do so is also displayed on the login page.Ī cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript (if MantisBT's CSP settings permit it) by modifying 'window_title' in the application configuration.
Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. This is fixed in 1.3.9, 2.1.3, and 2.2.3.Ī cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it.
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.Ī cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which leads to (1) arbitrary Injection via CSRF attacks on a _page.php?url= URI and (2) an open redirect via a login_page.php?return= URI.
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.Ī cross-site request forgery vulnerability in Jenkins Mantis Plugin 0.26 and earlier allows attackers to connect to an attacker-specified web server using attacker-specified credentials.Ī cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER to generate URLs.