Cross-Site Scripting Vulnerability in MantisBT by MantisBT Team
CVE-2022-26144

6.1MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 13 April 2022

What is CVE-2022-26144?

An XSS vulnerability exists in MantisBT prior to version 2.25.3 due to improper escaping of plugin names. This flaw could allow attackers to execute arbitrary code through crafted plugins, impacting the management functionalities of the application, specifically within the manage_plugin_page.php and manage_plugin_uninstall.php scripts when a compromised plugin is installed.

References

https://mantisbt.org/bugs/view.php?id=29688

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2022
Vulnerability Reserved
Feb 26, 2022

Mantisbt

What is CVE-2022-26144?

References

CVSS V3.1

Timeline