XSS Vulnerability in MantisBT Affects Users through SVG Attachments
CVE-2022-33910

5.4MEDIUM

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
24 June 2022

What is CVE-2022-33910?

An XSS vulnerability exists in MantisBT versions prior to 2.25.5, allowing remote attackers to exploit the system by attaching crafted SVG documents to issue reports or bug notes. When these attachments are clicked by users or administrators, the vulnerable file_download.php script opens the SVG document directly in a browser tab, leading to the execution of malicious JavaScript code. This could compromise user data and application security, highlighting the importance of timely updates and security awareness.

References

https://mantisbt.org/bugs/view.php?id=29135
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=30384
x_refsource_MISC
https://mantisbt.org/blog/archives/mantisbt/719
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.