GHSA-qj6w-v29q-4rgx
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
상세
Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.
### Impact Session theft leading to admin account takeover, full project data access.
- Precondition: A textarea-type custom field must be configured for the project - Attacker: Authenticated user with bug report permission (low privilege) - Victim: Any user viewing the bug edit form, including administrators
### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
### Workarounds The default Content-Security Policy will block script execution.
### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq).
### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 2.28.2 composer require mantisbt/mantisbt:^2.28.2 참고
- https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-39960 [ADVISORY]
- https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 [WEB]
- https://github.com/mantisbt/mantisbt [PACKAGE]
- https://mantisbt.org/bugs/view.php?id=37003 [WEB]