Cross-Site Scripting in MantisBT Vulnerable Products
CVE-2022-28508

6.1MEDIUM

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
4 May 2022

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2022-28508?

An XSS vulnerability exists in MantisBT prior to version 2.25.2 within the 'browser_search_plugin.php' file. The flaw arises from the unescaped output of the return parameter, which could allow an attacker to inject malicious code into a hidden input field. This could lead to unauthorized script execution in the context of a user's session, posing significant security risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-28508
Created by YavuzSahbaz

References

https://mantisbt.org/
x_refsource_MISC
https://sourceforge.net/projects/mantisbt/
x_refsource_MISC
https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/M...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability Reserved

JSON
.