Executive Summary

This vulnerability exists in Mantis Bug Tracker (MantisBT) versions from 1.3.0 to 2.28.1. It involves the Project Name field, which is not properly escaped. An attacker who has the ability to set the Project Name—typically requiring manager or administrator access—can inject malicious HTML code into the Move Attachments admin page. This could lead to unintended behavior or security issues. The vulnerability was fixed in version 2.28.2.

Useful 0 Not Useful 0

Impact Analysis

Because the vulnerability allows an attacker with elevated privileges to inject HTML into an administrative page, it could lead to cross-site scripting (XSS) or other injection-based attacks. This may result in unauthorized actions being performed in the context of an administrator, data manipulation, or exposure of sensitive information. The impact depends on the attacker's access level and the environment where MantisBT is deployed.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Mantis Bug Tracker to version 2.28.2 or later, where the issue with unescaped Project Name allowing HTML injection in the Move Attachments admin page has been fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a stored cross-site scripting (XSS) issue that allows an attacker with manager or administrator privileges to inject malicious HTML code via unescaped project names. This can impact the confidentiality, integrity, and availability of the MantisBT system.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that compromise system confidentiality and integrity can potentially lead to non-compliance with these regulations, especially if sensitive data is exposed or manipulated.

Therefore, organizations using affected versions of MantisBT should consider this vulnerability as a risk factor for compliance and apply the patch to mitigate potential regulatory impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unescaped project names allowing HTML injection on the Move Attachments admin page in MantisBT versions 1.3.0 to 2.28.1. Detection typically requires verifying if the affected MantisBT version is in use and if project names can be set by users with manager or administrator privileges.

To detect the vulnerability, you can check the MantisBT version running on your system. If it is between 1.3.0 and 2.28.1 inclusive, it is potentially vulnerable.

You can also attempt to identify if project names contain unescaped HTML by inspecting the Move Attachments admin page for any HTML injection or unexpected rendering.

Suggested commands to check the version and inspect project names might include:

• Check MantisBT version by accessing the web interface or querying the application version file, for example:
• curl -s http://your-mantisbt-url/api/rest/version or check the version.php file if accessible.
• Manually inspect the Move Attachments admin page in a browser with a user having manager or administrator privileges to see if project names render unescaped HTML.
• If you have database access, query the project names to look for suspicious HTML tags:
• SELECT name FROM mantis_project_table WHERE name LIKE '%<%';

Note that no specific automated detection commands or scripts are provided in the available resources.

Useful 0 Not Useful 0