GHSA-qj6w-v29q-4rgx
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
Details
Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.
### Impact Session theft leading to admin account takeover, full project data access.
- Precondition: A textarea-type custom field must be configured for the project - Attacker: Authenticated user with bug report permission (low privilege) - Victim: Any user viewing the bug edit form, including administrators
### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
### Workarounds The default Content-Security Policy will block script execution.
### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq).
### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.28.2 composer require mantisbt/mantisbt:^2.28.2 References
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-39960 [ADVISORY]
- https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 [WEB]
- https://github.com/mantisbt/mantisbt [PACKAGE]
- https://mantisbt.org/bugs/view.php?id=37003 [WEB]