Stored Cross-Site Scripting Vulnerability in MantisBT by MantisBT Team
CVE-2019-15074

9.6CRITICAL

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 21 August 2019

What is CVE-2019-15074?

The Timeline feature in my_view_page.php of MantisBT versions up to 2.21.1 suffers from a stored cross-site scripting (XSS) vulnerability. This flaw allows attackers to execute arbitrary code through crafted filenames when attachments are uploaded. The executed code can affect any user who has visibility on the respective issue, with execution occurring each time the My View Page is displayed. Proper security measures must be implemented to mitigate the potential risks associated with this vulnerability.

References

https://mantisbt.org/bugs/view.php?id=25995

x_refsource_MISC

https://github.com/mantisbt/mantisbt/commit/9cee1971c498b...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2019
Vulnerability Reserved
Aug 15, 2019

Mantisbt

What is CVE-2019-15074?

References

CVSS V3.1

Timeline