HTML Injection Vulnerability in MantisBT by Mantis Bug Tracker
CVE-2020-25830

4.8MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 30 September 2020

What is CVE-2020-25830?

A vulnerability in MantisBT prior to version 2.24.3 allows attackers to input HTML into custom field names. If the Content Security Policy (CSP) settings are not stringent, this can lead to the execution of arbitrary JavaScript when users attempt to update the custom field through the bug_actiongroup_page.php. This injection flaw poses potential security risks by allowing attackers to manipulate the application’s behavior and compromise sensitive data.

References

https://mantisbt.org/bugs/view.php?id=27304

x_refsource_MISC

http://github.com/mantisbt/mantisbt/commit/8c6f4d8859785b...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2020
Vulnerability Reserved
Sep 23, 2020

Mantisbt

What is CVE-2020-25830?

References

CVSS V3.1

Timeline