Cross-Site Scripting in MantisBT Vulnerable Products
CVE-2022-28508

6.1MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 4 May 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-28508?

An XSS vulnerability exists in MantisBT prior to version 2.25.2 within the 'browser_search_plugin.php' file. The flaw arises from the unescaped output of the return parameter, which could allow an attacker to inject malicious code into a hidden input field. This could lead to unauthorized script execution in the context of a user's session, posing significant security risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-28508
Created by YavuzSahbaz

References

https://mantisbt.org/

x_refsource_MISC

https://sourceforge.net/projects/mantisbt/

x_refsource_MISC

https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/M...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2022
🟡
Public PoC available
Apr 28, 2022
👾
Exploit known to exist
Apr 28, 2022
Vulnerability Reserved
Apr 4, 2022

Mantisbt

Badges

What is CVE-2022-28508?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline