HTML Injection Vulnerability in MantisBT by Mantis Bug Tracker
CVE-2020-25288

4.8MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 30 September 2020

What is CVE-2020-25288?

A vulnerability in MantisBT before version 2.24.3 allows attackers to exploit improper escaping in the pattern attribute of custom fields when editing issues. This flaw can lead to HTML injection, enabling the execution of arbitrary JavaScript if Content Security Policy settings do not effectively block such scripts.

References

https://mantisbt.org/bugs/view.php?id=27275

x_refsource_MISC

http://github.com/mantisbt/mantisbt/commit/221cf323f16a97...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2020
Vulnerability Reserved
Sep 13, 2020

Mantisbt

What is CVE-2020-25288?

References

CVSS V3.1

Timeline