Search criteria
139 vulnerabilities by mantisbt
CVE-2026-40607 (GCVE-0-2026-40607)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:39 – Updated: 2026-05-26 18:51
VLAI
Title
MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/44f49… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37015 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40607",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:51:03.130533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:51:17.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter\u0027s owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users\u0027 real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:39:13.817Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37015",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37015"
}
],
"source": {
"advisory": "GHSA-f633-865q-2mhh",
"discovery": "UNKNOWN"
},
"title": "MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40607",
"datePublished": "2026-05-22T19:39:13.817Z",
"dateReserved": "2026-04-14T14:07:59.642Z",
"dateUpdated": "2026-05-26T18:51:17.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40598 (GCVE-0-2026-40598)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:32 – Updated: 2026-05-23 02:41
VLAI
Title
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request's Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/b1ebc… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37017 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T02:39:01.073614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T02:41:23.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=37017"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request\u0027s Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:32:35.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37017",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37017"
}
],
"source": {
"advisory": "GHSA-6jh4-47v2-4g37",
"discovery": "UNKNOWN"
},
"title": "MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40598",
"datePublished": "2026-05-22T19:32:35.535Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-05-23T02:41:23.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40597 (GCVE-0-2026-40597)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:29 – Updated: 2026-05-26 19:06
VLAI
Title
MantisBT has a Content Security Policy bypass via attachments
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/9e3be… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37016 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T19:05:54.812787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:06:00.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy\u0027s script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a \u003cscript\u003e tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358: Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:29:46.728Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37016",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37016"
}
],
"source": {
"advisory": "GHSA-9c3j-xm6v-j7j3",
"discovery": "UNKNOWN"
},
"title": "MantisBT has a Content Security Policy bypass via attachments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40597",
"datePublished": "2026-05-22T19:29:46.728Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-05-26T19:06:00.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40596 (GCVE-0-2026-40596)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:25 – Updated: 2026-05-22 20:10
VLAI
Title
MantisBT is vulnerable to XSS and potential account takeover via user font family preference update
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/9e840… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37011 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37016 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T20:10:08.492596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T20:10:16.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account\u0027s font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:25:32.812Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j"
},
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37011",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37011"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37016",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37016"
}
],
"source": {
"advisory": "GHSA-j3v9-553h-x28j",
"discovery": "UNKNOWN"
},
"title": "MantisBT is vulnerable to XSS and potential account takeover via user font family preference update"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40596",
"datePublished": "2026-05-22T19:25:32.812Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-05-22T20:10:16.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39960 (GCVE-0-2026-39960)
Vulnerability from cvelistv5 – Published: 2026-05-20 21:11 – Updated: 2026-05-21 13:30
VLAI
Title
MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Severity
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/5fec0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:29:35.775357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:30:07.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field\u0027s contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T21:11:02.341Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7"
}
],
"source": {
"advisory": "GHSA-qj6w-v29q-4rgx",
"discovery": "UNKNOWN"
},
"title": "MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39960",
"datePublished": "2026-05-20T21:11:02.341Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-05-21T13:30:07.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34970 (GCVE-0-2026-34970)
Vulnerability from cvelistv5 – Published: 2026-05-19 23:17 – Updated: 2026-05-20 13:04
VLAI
Title
MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/71df1… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36978 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34970",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:04:45.120015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:04:48.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36978"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note\u0027s Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T23:17:59.549Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36978",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36978"
}
],
"source": {
"advisory": "GHSA-crmx-4p49-46m2",
"discovery": "UNKNOWN"
},
"title": "MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34970",
"datePublished": "2026-05-19T23:17:59.549Z",
"dateReserved": "2026-03-31T19:38:31.616Z",
"dateUpdated": "2026-05-20T13:04:48.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34754 (GCVE-0-2026-34754)
Vulnerability from cvelistv5 – Published: 2026-05-19 23:05 – Updated: 2026-05-20 15:09
VLAI
Title
MantisBT allows unauthorized users to upload attachments to restricted issues via REST API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
Severity
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/b262b… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36976 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:07:20.317286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:09:04.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T23:05:27.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36976",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36976"
}
],
"source": {
"advisory": "GHSA-h4x5-gvx6-3rwc",
"discovery": "UNKNOWN"
},
"title": "MantisBT allows unauthorized users to upload attachments to restricted issues via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34754",
"datePublished": "2026-05-19T23:05:27.818Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-05-20T15:09:04.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34744 (GCVE-0-2026-34744)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:45 – Updated: 2026-05-20 17:19
VLAI
Title
MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/de7bd… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36977 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T17:19:00.457408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:19:23.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:45:35.012Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36977",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36977"
}
],
"source": {
"advisory": "GHSA-rmp5-5jj7-gmvf",
"discovery": "UNKNOWN"
},
"title": "MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34744",
"datePublished": "2026-05-19T22:45:35.012Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-05-20T17:19:23.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34579 (GCVE-0-2026-34579)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:06 – Updated: 2026-05-20 15:45
VLAI
Title
MantisBT has an authorization bypass via private issue monitoring
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. This issue has been fixed in version 2.28.2.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/0a932… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36975 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:25:53.765282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:45:51.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue\u0027s metadata and content. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:06:26.798Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36975",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36975"
}
],
"source": {
"advisory": "GHSA-ggw7-9675-6v4v",
"discovery": "UNKNOWN"
},
"title": "MantisBT has an authorization bypass via private issue monitoring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34579",
"datePublished": "2026-05-19T22:06:26.798Z",
"dateReserved": "2026-03-30T16:56:30.998Z",
"dateUpdated": "2026-05-20T15:45:51.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34463 (GCVE-0-2026-34463)
Vulnerability from cvelistv5 – Published: 2026-05-19 21:57 – Updated: 2026-05-20 13:36
VLAI
Title
MantisBT has Stored HTML Injection/XSS via Clone Issue Form
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/df226… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36986 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:36:36.270656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:36:45.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project\u0027s name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T21:57:49.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36986",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36986"
}
],
"source": {
"advisory": "GHSA-fvjf-68wh-rwp2",
"discovery": "UNKNOWN"
},
"title": "MantisBT has Stored HTML Injection/XSS via Clone Issue Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34463",
"datePublished": "2026-05-19T21:57:49.015Z",
"dateReserved": "2026-03-27T18:18:14.896Z",
"dateUpdated": "2026-05-20T13:36:45.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34390 (GCVE-0-2026-34390)
Vulnerability from cvelistv5 – Published: 2026-05-19 21:54 – Updated: 2026-05-20 13:05
VLAI
Title
MantisBT: Privilege Escalation from Manager to Administrator
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/69e01… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36995 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37002 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34390",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:05:44.018367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:05:47.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36995"
},
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=37002"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor\u0027s own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T21:54:26.043Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36995",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36995"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37002",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37002"
}
],
"source": {
"advisory": "GHSA-frf7-jhp9-jxm6",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Privilege Escalation from Manager to Administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34390",
"datePublished": "2026-05-19T21:54:26.043Z",
"dateReserved": "2026-03-27T13:45:29.619Z",
"dateUpdated": "2026-05-20T13:05:47.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33052 (GCVE-0-2026-33052)
Vulnerability from cvelistv5 – Published: 2026-05-19 00:29 – Updated: 2026-05-19 12:46
VLAI
Title
MantisBT: Authorization Bypass in Global Profile Creation
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/3f952… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36974 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:46:22.931158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:46:26.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.28.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the \"add_profile_threshold\" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T00:29:05.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36974",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"source": {
"advisory": "GHSA-68w5-w573-q2r8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authorization Bypass in Global Profile Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33052",
"datePublished": "2026-05-19T00:29:05.220Z",
"dateReserved": "2026-03-17T18:10:50.212Z",
"dateUpdated": "2026-05-19T12:46:26.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33548 (GCVE-0-2026-33548)
Vulnerability from cvelistv5 – Published: 2026-03-23 19:15 – Updated: 2026-03-24 16:06
VLAI
Title
MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/f3278… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T16:05:45.559424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T16:06:54.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "= 2.28.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this-\u003etag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html()."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T19:15:18.891Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815"
}
],
"source": {
"advisory": "GHSA-73vx-49mv-v8w5",
"discovery": "UNKNOWN"
},
"title": "MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33548",
"datePublished": "2026-03-23T19:15:18.891Z",
"dateReserved": "2026-03-20T18:05:11.832Z",
"dateUpdated": "2026-03-24T16:06:54.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33517 (GCVE-0-2026-33517)
Vulnerability from cvelistv5 – Published: 2026-03-23 19:13 – Updated: 2026-03-24 14:17
VLAI
Title
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/80990… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/d6890… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:12:05.535567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:17:15.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "= 2.28.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T19:13:15.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9"
}
],
"source": {
"advisory": "GHSA-fh48-f69w-7vmp",
"discovery": "UNKNOWN"
},
"title": "MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33517",
"datePublished": "2026-03-23T19:13:15.220Z",
"dateReserved": "2026-03-20T16:59:08.892Z",
"dateUpdated": "2026-03-24T14:17:15.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30849 (GCVE-0-2026-30849)
Vulnerability from cvelistv5 – Published: 2026-03-23 19:10 – Updated: 2026-03-24 18:30
VLAI
Title
MantisBT SOAP API has an authentication bypass vulnerability on MySQL
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.
Severity
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/b349e… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:29:55.283729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:30:05.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim\u0027s username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T19:10:34.345Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f"
}
],
"source": {
"advisory": "GHSA-phrq-pc6r-f6gh",
"discovery": "UNKNOWN"
},
"title": "MantisBT SOAP API has an authentication bypass vulnerability on MySQL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30849",
"datePublished": "2026-03-23T19:10:34.345Z",
"dateReserved": "2026-03-05T21:27:35.341Z",
"dateUpdated": "2026-03-24T18:30:05.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62520 (GCVE-0-2025-62520)
Vulnerability from cvelistv5 – Published: 2025-11-04 21:31 – Updated: 2025-11-04 21:48
VLAI
Title
MantisBT unauthorized disclosure of private project column configuration
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private project they have no access to. This issue is fixed in version 2.27.2.
Severity
CWE
- CWE-285 - Improper Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/4fe94… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36502 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62520",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-04T21:44:26.903676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T21:48:13.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private project they have no access to. This issue is fixed in version 2.27.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T21:31:13.261Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-g582-8vwr-68h2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/4fe94f45fa2baea2aeb4b65781d2009e7b4a0bf3"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36502",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36502"
}
],
"source": {
"advisory": "GHSA-g582-8vwr-68h2",
"discovery": "UNKNOWN"
},
"title": "MantisBT unauthorized disclosure of private project column configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62520",
"datePublished": "2025-11-04T21:31:13.261Z",
"dateReserved": "2025-10-15T15:03:28.134Z",
"dateUpdated": "2025-11-04T21:48:13.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55155 (GCVE-0-2025-55155)
Vulnerability from cvelistv5 – Published: 2025-11-04 20:48 – Updated: 2025-11-04 21:03
VLAI
Title
MantisBT: Authentication bypass for some passwords due to PHP type juggling
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2.
Severity
5.4 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/21e9f… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36005 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-04T21:03:02.558301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T21:03:12.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person\u0027s email address could lead to information disclosure. This issue is fixed in version 2.27.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354: Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T20:48:03.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36005",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36005"
}
],
"source": {
"advisory": "GHSA-q747-c74m-69pr",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authentication bypass for some passwords due to PHP type juggling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55155",
"datePublished": "2025-11-04T20:48:03.428Z",
"dateReserved": "2025-08-07T18:27:23.306Z",
"dateUpdated": "2025-11-04T21:03:12.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47776 (GCVE-0-2025-47776)
Vulnerability from cvelistv5 – Published: 2025-11-04 20:31 – Updated: 2025-11-05 18:48
VLAI
Title
MantisBT: Authentication bypass for some passwords due to PHP type juggling
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim's username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim's actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2.
Severity
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/96655… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-04T20:41:52.816601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T18:48:23.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparison in the authentication code in versions 2.27.1 and below.PHP type juggling will cause certain MD5 hashes matching scientific notation to be interpreted as numbers. Instances using the MD5 login method allow an attacker who knows the victim\u0027s username and has access to an account with a password hash that evaluates to zero to log in without knowing the victim\u0027s actual password, by using any other password with a hash that also evaluates to zero This issue is fixed in version 2.27.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T20:31:01.759Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-4v8w-gg5j-ph37"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/966554a19cf1bdbcfbfb3004766979faa748f9a2"
}
],
"source": {
"advisory": "GHSA-4v8w-gg5j-ph37",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authentication bypass for some passwords due to PHP type juggling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47776",
"datePublished": "2025-11-04T20:31:01.759Z",
"dateReserved": "2025-05-09T19:49:35.620Z",
"dateUpdated": "2025-11-05T18:48:23.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46556 (GCVE-0-2025-46556)
Vulnerability from cvelistv5 – Published: 2025-11-04 00:20 – Updated: 2025-11-06 20:44
VLAI
Title
MantisBT is Vulnerable to Denial-of-Service (DoS) attack via Excessive Note Length
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.
Severity
6.5 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/c99a4… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/d5cec… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/e9119… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:44:31.776476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:44:40.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T00:20:28.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361"
}
],
"source": {
"advisory": "GHSA-r3jf-hm7q-qfw5",
"discovery": "UNKNOWN"
},
"title": "MantisBT is Vulnerable to Denial-of-Service (DoS) attack via Excessive Note Length"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46556",
"datePublished": "2025-11-04T00:20:28.193Z",
"dateReserved": "2025-04-24T21:10:48.173Z",
"dateUpdated": "2025-11-06T20:44:40.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45792 (GCVE-0-2024-45792)
Vulnerability from cvelistv5 – Published: 2024-09-30 14:40 – Updated: 2024-09-30 15:31
VLAI
Title
MantisBT vulnerable to information disclosure with user profiles
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. This vulnerability is fixed in 2.26.4.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/ef0f8… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=34640 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:31:35.315473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:31:48.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users\u0027 personal system profiles. This vulnerability is fixed in 2.26.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T14:40:25.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h5q3-fjp4-2x7r"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/ef0f820284032350cc20a39ff9cb2010d5463b41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/ef0f820284032350cc20a39ff9cb2010d5463b41"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34640",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=34640"
}
],
"source": {
"advisory": "GHSA-h5q3-fjp4-2x7r",
"discovery": "UNKNOWN"
},
"title": "MantisBT vulnerable to information disclosure with user profiles"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45792",
"datePublished": "2024-09-30T14:40:25.616Z",
"dateReserved": "2024-09-09T14:23:07.500Z",
"dateUpdated": "2024-09-30T15:31:48.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34081 (GCVE-0-2024-34081)
Vulnerability from cvelistv5 – Published: 2024-05-13 15:40 – Updated: 2024-08-02 02:42
VLAI
Title
MantisBT Cross-site Scripting vulnerability
Summary
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues (`bug_change_status_page.php`) belonging to a project linking said custom field, viewing issues (`view_all_bug_page.php`) when the custom field is displayed as a column, or printing issues (`print_all_bug_page.php`) when the custom field is displayed as a column. Version 2.26.2 contains a patch for the issue. As a workaround, ensure Custom Field Names do not contain HTML tags.
Severity
6.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/447a5… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=34432 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T19:02:37.888445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T19:02:46.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34432",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=34432"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field\u0027s name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues (`bug_change_status_page.php`) belonging to a project linking said custom field, viewing issues (`view_all_bug_page.php`) when the custom field is displayed as a column, or printing issues (`print_all_bug_page.php`) when the custom field is displayed as a column. Version 2.26.2 contains a patch for the issue. As a workaround, ensure Custom Field Names do not contain HTML tags."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T15:40:54.014Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-wgx7-jp56-65mq"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34432",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=34432"
}
],
"source": {
"advisory": "GHSA-wgx7-jp56-65mq",
"discovery": "UNKNOWN"
},
"title": "MantisBT Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34081",
"datePublished": "2024-05-13T15:40:54.014Z",
"dateReserved": "2024-04-30T06:56:33.384Z",
"dateUpdated": "2024-08-02T02:42:59.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34080 (GCVE-0-2024-34080)
Vulnerability from cvelistv5 – Published: 2024-05-13 15:35 – Updated: 2024-08-02 02:42
VLAI
Title
MantisBT Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Summary
MantisBT (Mantis Bug Tracker) is an open source issue tracker. If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. This can result in disclosure of the existence of the note, the note author name, the note creation timestamp, and the issue id the note belongs to. Version 2.26.2 contains a patch for the issue. No known workarounds are available.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/pull/2000 | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/0a505… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=34434 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mantisbt:mantisbt:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"lessThan": "2.26.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T18:31:57.581342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:59:48.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q"
},
{
"name": "https://github.com/mantisbt/mantisbt/pull/2000",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/pull/2000"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34434",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=34434"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MantisBT (Mantis Bug Tracker) is an open source issue tracker. If an issue references a note that belongs to another issue that the user doesn\u0027t have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. This can result in disclosure of the existence of the note, the note author name, the note creation timestamp, and the issue id the note belongs to. Version 2.26.2 contains a patch for the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T15:35:00.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-99jc-wqmr-ff2q"
},
{
"name": "https://github.com/mantisbt/mantisbt/pull/2000",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/pull/2000"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/0a50562369d823689c9b946066d1e49d3c2df226"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34434",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=34434"
}
],
"source": {
"advisory": "GHSA-99jc-wqmr-ff2q",
"discovery": "UNKNOWN"
},
"title": "MantisBT Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34080",
"datePublished": "2024-05-13T15:35:00.399Z",
"dateReserved": "2024-04-30T06:56:33.384Z",
"dateUpdated": "2024-08-02T02:42:59.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34077 (GCVE-0-2024-34077)
Vulnerability from cvelistv5 – Published: 2024-05-13 15:30 – Updated: 2024-08-02 02:42
VLAI
Title
MantisBT user account takeover in the signup/reset password process
Summary
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token's validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`).
Severity
7.3 (High)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/92d11… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=34433 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mantisbt:mantisbt:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T19:51:24.911983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:02.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:42:59.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34433",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=34433"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user\u0027s password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token\u0027s validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620: Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T15:30:32.334Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=34433",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=34433"
}
],
"source": {
"advisory": "GHSA-93x3-m7pw-ppqm",
"discovery": "UNKNOWN"
},
"title": "MantisBT user account takeover in the signup/reset password process"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34077",
"datePublished": "2024-05-13T15:30:32.334Z",
"dateReserved": "2024-04-30T06:56:33.383Z",
"dateUpdated": "2024-08-02T02:42:59.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23830 (GCVE-0-2024-23830)
Vulnerability from cvelistv5 – Published: 2024-02-20 21:44 – Updated: 2024-08-01 23:13
VLAI
Title
MantisBT Host Header Injection vulnerability
Summary
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`.
Severity
8.3 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/70557… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=19381 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T16:05:28.582374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:50.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=19381",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=19381"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user\u0027s email address and username can hijack the user\u0027s account by poisoning the link in the password reset notification message. A patch is available in version 2.26.1. As a workaround, define `$g_path` as appropriate in `config_inc.php`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T21:44:27.707Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-mcqj-7p29-9528"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/7055731d09ff12b2781410a372f790172e279744"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=19381",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=19381"
}
],
"source": {
"advisory": "GHSA-mcqj-7p29-9528",
"discovery": "UNKNOWN"
},
"title": "MantisBT Host Header Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23830",
"datePublished": "2024-02-20T21:44:27.707Z",
"dateReserved": "2024-01-22T22:23:54.339Z",
"dateUpdated": "2024-08-01T23:13:08.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49802 (GCVE-0-2023-49802)
Vulnerability from cvelistv5 – Published: 2023-12-11 21:11 – Updated: 2024-08-28 15:12
VLAI
Title
MantisBT LinkedCustomFields Cross-site Scripting vulnerability
Summary
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.
Severity
6.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt-plugins/LinkedCustomF… | x_refsource_CONFIRM |
| https://github.com/mantisbt-plugins/LinkedCustomF… | x_refsource_MISC |
| https://github.com/mantisbt-plugins/LinkedCustomF… | x_refsource_MISC |
| https://github.com/mantisbt-plugins/LinkedCustomF… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mantisbt-plugins | LinkedCustomFields |
Affected:
< 2.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:26.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw"
},
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10"
},
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11"
},
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T15:12:18.863462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T15:12:57.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LinkedCustomFields",
"vendor": "mantisbt-plugins",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT\u0027s default Content Security Policy, which blocks script execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T21:11:53.407Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/security/advisories/GHSA-2f37-9xpx-5hhw"
},
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/issues/10"
},
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/pull/11"
},
{
"name": "https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt-plugins/LinkedCustomFields/commit/30e5ae751e40d7ae18bfd794fd48671477b3d286"
}
],
"source": {
"advisory": "GHSA-2f37-9xpx-5hhw",
"discovery": "UNKNOWN"
},
"title": "MantisBT LinkedCustomFields Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49802",
"datePublished": "2023-12-11T21:11:53.407Z",
"dateReserved": "2023-11-30T13:39:50.864Z",
"dateUpdated": "2024-08-28T15:12:57.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44394 (GCVE-0-2023-44394)
Vulnerability from cvelistv5 – Published: 2023-10-16 21:00 – Updated: 2025-08-11 14:49
VLAI
Title
Disclosure of project names to unauthorized users in MantisBT
Summary
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been included in release `2.25.8`. Users are advised to upgrade. Users unable to upgrade should disable wiki integration ( `$g_wiki_enable = OFF;`).
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/65c44… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=32981 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=32981",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=32981"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44394",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T18:58:41.131236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T18:59:53.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects\u0027 names, by accessing wiki.php with sequentially incremented IDs. This issue has been addressed in commit `65c44883f` which has been included in release `2.25.8`. Users are advised to upgrade. Users unable to upgrade should disable wiki integration ( `$g_wiki_enable = OFF;`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T14:49:08.671Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-v642-mh27-8j6m"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/65c44883f9d24f3ccef066fb523c93d8fdd7afc1"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=32981",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=32981"
}
],
"source": {
"advisory": "GHSA-v642-mh27-8j6m",
"discovery": "UNKNOWN"
},
"title": "Disclosure of project names to unauthorized users in MantisBT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44394",
"datePublished": "2023-10-16T21:00:46.324Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2025-08-11T14:49:08.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22476 (GCVE-0-2023-22476)
Vulnerability from cvelistv5 – Published: 2023-02-23 19:00 – Updated: 2025-03-10 21:06
VLAI
Title
MantisBT: Exposure of Private issues' summary to unauthorized users
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can access to the _Summary_ field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted `bug_arr[]` parameter in *bug_actiongroup_ext.php*. This issue is fixed in version 2.25.6. There are no workarounds.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://www.mantisbt.org/bugs/view.php?id=31086 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79"
},
{
"name": "https://www.mantisbt.org/bugs/view.php?id=31086",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mantisbt.org/bugs/view.php?id=31086"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:04.346402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:06:35.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can access to the _Summary_ field of private Issues (i.e. having Private view status, or belonging to a private Project) via a crafted `bug_arr[]` parameter in *bug_actiongroup_ext.php*. This issue is fixed in version 2.25.6. There are no workarounds.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-23T19:00:02.754Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-hf4x-6h87-hm79"
},
{
"name": "https://www.mantisbt.org/bugs/view.php?id=31086",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mantisbt.org/bugs/view.php?id=31086"
}
],
"source": {
"advisory": "GHSA-hf4x-6h87-hm79",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Exposure of Private issues\u0027 summary to unauthorized users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22476",
"datePublished": "2023-02-23T19:00:02.754Z",
"dateReserved": "2022-12-29T17:41:28.087Z",
"dateUpdated": "2025-03-10T21:06:35.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33910 (GCVE-0-2022-33910)
Vulnerability from cvelistv5 – Published: 2022-06-24 16:45 – Updated: 2024-08-03 08:09
VLAI
Summary
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://mantisbt.org/bugs/view.php?id=29135 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=30384 | x_refsource_MISC |
| https://mantisbt.org/blog/archives/mantisbt/719 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:09:22.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=29135"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/bugs/view.php?id=30384"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mantisbt.org/blog/archives/mantisbt/719"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-24T16:45:56.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=29135"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=30384"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mantisbt.org/blog/archives/mantisbt/719"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-33910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mantisbt.org/bugs/view.php?id=29135",
"refsource": "MISC",
"url": "https://mantisbt.org/bugs/view.php?id=29135"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=30384",
"refsource": "MISC",
"url": "https://mantisbt.org/bugs/view.php?id=30384"
},
{
"name": "https://mantisbt.org/blog/archives/mantisbt/719",
"refsource": "CONFIRM",
"url": "https://mantisbt.org/blog/archives/mantisbt/719"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-33910",
"datePublished": "2022-06-24T16:45:56.000Z",
"dateReserved": "2022-06-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T08:09:22.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28508 (GCVE-0-2022-28508)
Vulnerability from cvelistv5 – Published: 2022-05-04 13:50 – Updated: 2024-08-03 05:56
VLAI
Summary
An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://mantisbt.org/ | x_refsource_MISC |
| https://sourceforge.net/projects/mantisbt/ | x_refsource_MISC |
| https://github.com/YavuzSahbaz/CVE-2022-28508/blo… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:56:15.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mantisbt.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/mantisbt/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-04T13:50:55.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/mantisbt/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-28508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mantisbt.org/",
"refsource": "MISC",
"url": "https://mantisbt.org/"
},
{
"name": "https://sourceforge.net/projects/mantisbt/",
"refsource": "MISC",
"url": "https://sourceforge.net/projects/mantisbt/"
},
{
"name": "https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability",
"refsource": "MISC",
"url": "https://github.com/YavuzSahbaz/CVE-2022-28508/blob/main/MantisBT%202.25.2%20XSS%20vulnurability"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-28508",
"datePublished": "2022-05-04T13:50:55.000Z",
"dateReserved": "2022-04-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:56:15.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43257 (GCVE-0-2021-43257)
Vulnerability from cvelistv5 – Published: 2022-04-14 19:25 – Updated: 2024-08-04 03:55
VLAI
Summary
Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.mantisbt.org/bugs/view.php?id=29130 | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/7f453… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mantisbt.org/bugs/view.php?id=29130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T19:25:45.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mantisbt.org/bugs/view.php?id=29130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43257",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mantisbt.org/bugs/view.php?id=29130",
"refsource": "MISC",
"url": "https://www.mantisbt.org/bugs/view.php?id=29130"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e",
"refsource": "MISC",
"url": "https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43257",
"datePublished": "2022-04-14T19:25:45.000Z",
"dateReserved": "2021-11-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:55:28.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}