Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13Z3g3LWpwNTYtNjVtcc4AA74m

Mantis Bug Tracker (MantisBT) vulnerable to cross-site scripting

Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when:

• resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field
• viewing issues (view_all_bug_page.php) when the custom field is displayed as a column
• printing issues (print_all_bug_page.php) when the custom field is displayed as a column

Impact

Cross-site scripting (XSS).

Patches

https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be

Workarounds

Ensure Custom Field Names do not contain HTML tags.

References

• https://mantisbt.org/bugs/view.php?id=34432
• This is related to CVE-2020-25830 (same root cause, different affected pages)

Permalink: https://github.com/advisories/GHSA-wgx7-jp56-65mq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Z3g3LWpwNTYtNjVtcc4AA74m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 6 months ago

CVSS Score: 6.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Identifiers: GHSA-wgx7-jp56-65mq, CVE-2024-34081
References:

• https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq
• https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be
• https://mantisbt.org/bugs/view.php?id=34432
• https://nvd.nist.gov/vuln/detail/CVE-2024-34081
• https://github.com/advisories/GHSA-wgx7-jp56-65mq

Repository: https://github.com/mantisbt/mantisbt
Blast Radius: 4.0

Affected Packages